Public Key Infrastructure Basics

Questions and Answers

What is the primary function of a Registration Authority (RA) within a Public Key Infrastructure (PKI)?

They are responsible for generating and managing private keys for users.

They directly issue digital certificates to requesters.

They are responsible for revoking digital certificates that have been compromised.

They act as intermediaries, handling Certificate Signing Requests (CSRs) on behalf of the Certificate Authority (CA). (correct)

What is the fundamental purpose of a Certificate Signing Request (CSR) in the process of obtaining a digital certificate?

To provide a digital signature for the applicant's website.

To create a secure communication channel between the applicant and the Certificate Authority (CA).

To encrypt the applicant's private key for secure storage.

To enable the Certificate Authority (CA) to verify the applicant's identity and public key. (correct)

Which of the following is NOT a function performed by a Certificate Authority (CA) within a Public Key Infrastructure (PKI)?

Generating public/private key pairs for users who request certificates. (correct)

Establishing trust in the PKI by signing and issuing digital certificates.

Validating the identity of applicants requesting certificates.

Maintaining a revocation list of compromised certificates.

What would be the consequence of a Certificate Authority (CA) being compromised?

The entire Public Key Infrastructure (PKI) would be compromised. (B)

What is the primary reason a web browser checks the validity of a digital certificate issued by a Certificate Authority (CA) when a user visits a website?

To confirm the authenticity of the website and the identity of the website owner. (C)

What is the purpose of a Certificate Revocation List (CRL)?

To list compromised or revoked digital certificates, alerting users to their invalidity. (C)

During the process of obtaining a digital certificate, what step immediately precedes the signing of the Certificate Signing Request (CSR) by the Certificate Authority (CA)?

The Certificate Authority (CA) validates the applicant's identity and the information provided in the CSR. (D)

What role does the authenticator play in the 802.1X authentication process?

It serves as the intermediary that communicates between the supplicant and the authentication server. (B)

Which of the following best describes the function of an Access Control List (ACL)?

It determines whether incoming or outgoing traffic is allowed or denied based on defined rules. (B)

During the 802.1X authentication process, what type of traffic is allowed before the client successfully authenticates?

Only EAP over LAN (EAPOL) traffic. (B)

What is primarily responsible for validating authentication requests in the 802.1X framework?

RADIUS server acts as the authentication server. (A)

What is a significant component of the security rules in a network environment?

Access Control Lists (ACLs) that manage traffic permissions. (A)

What is the main purpose of two-factor authentication (2FA)?

It authenticates users with a second verification method beyond just signing in. (A)

Which of the following is a common tactic used by attackers when dumpster diving?

Searching for discarded documents containing personal or sensitive information. (C)

How can organizations mitigate the risks associated with dumpster diving?

Employing cross-cut shredders for documents and secure disposal methods for data. (A)

What type of link may be used in a phishing email to deceive users?

A link that contains slight variations, such as replacing letters with numbers. (B)

What can become a negative consequence of mishandling sensitive information?

Regulatory or legal violations. (D)

What type of data might attackers look for during dumpster diving beyond documents?

Old electronic devices containing recoverable information. (D)

Which of the following is NOT a best practice for email security?

Clicking on attachments from unknown senders. (A)

Which item is least likely to be a target for dumpster diving?

Shredded documents that are difficult to reconstruct. (A)

In the context of phishing, why is it risky to click on suspicious links?

It can redirect to fraudulent pages designed to steal personal information. (C)

Which of the following items could be critical for an attacker attempting to gain unauthorized access?

Login information or employee credentials from discarded documents. (C)

Which of the following is NOT a benefit of geofencing for security purposes?

Improved Network Performance (B)

Which of the following scenarios BEST exemplifies the application of geofencing for access restriction?

A VPN connection to a corporate network is only allowed from within the United States. (A)

What does geofencing rely on to establish virtual boundaries?

A combination of GPS, RFID, Wi-Fi, or cellular networks (A)

Which of the following is NOT a primary reason for implementing network segmentation?

Centralizing network administration (B)

In the context of IoT devices, what is the primary function of actuators?

Responding to collected data and interacting with the physical world (B)

What is the fundamental concept behind the Internet of Things (IoT)?

Connecting physical devices to each other to collect and share data (D)

Which of the following BEST describes the role of sensors within IoT devices?

Detecting environmental changes and collecting data (B)

Which of the following IS NOT a typical use case for network segmentation?

Centralizing network administration to simplify management (D)

Which of the following is the MOST accurate definition of geofencing?

A security technique using geographical boundaries to control access (B)

What is the primary goal of network segmentation in the context of OT systems?

To isolate OT systems from IT environments (D)

Which among the following is NOT a component of a multi-layered defense approach for ICS/SCADA systems?

Market analysis (C)

How does Bring Your Own Device (BYOD) practice affect organizational security?

It introduces potential security risks due to personal device vulnerabilities. (B)

Which of the following best defines Operational Technology (OT)?

Hardware and software used to manage industrial equipment. (D)

What is the role of deception and disruption technologies in cybersecurity?

To lure attackers into revealing their intentions and methods. (D)

Which security measure is recommended for monitoring BYOD device traffic?

Monitoring for potential threats continuously. (B)

Why is it crucial to conduct vulnerability scanning in ICS/SCADA systems?

To identify weaknesses that could be exploited in cyberattacks. (C)

What is a primary characteristic of guest networks?

They provide internet access while isolating guest users from internal networks. (C)

Which technology is included under Operational Technology (OT)?

Supervisory Control and Data Acquisition (SCADA) systems (C)

What approach is generally taken to mitigate risks associated with BYOD?

Segmenting these devices on a dedicated VLAN for security. (B)

Flashcards

Geofencing

A security technique using geographic boundaries to control access to systems.

Access Restriction

Limiting network or application access to specific geographic areas.

Data Protection

Enforcing location-based restrictions to protect sensitive data.

Device Security

Triggering security actions when a device enters or leaves zones.

Network Segmentation

Dividing a network into smaller segments for better control and security.

IoT (Internet of Things)

A network of smart devices connected to share data.

Sensors in IoT

Devices that detect changes in the environment and collect data.

Actuators in IoT

Components that react to data collected by sensors.

IIoT (Industrial Internet of Things)

An extension of IoT for industrial applications with specialized devices.

Certificate Authority (CA)

An entity that issues digital certificates and manages identity verification.

Certificate Signing Request (CSR)

A request sent to a CA to acquire a digital certificate, containing the public key.

Root CA

The top-level certificate authority that issues root certificates and manages subordinate CAs.

Registration Authority (RA)

A subordinate entity to the CA that handles the CSR and verifies identity.

Certificate Revocation List (CRL)

A list published by a CA of certificates that have been revoked before their expiration date.

Digital Certificate

An electronic document used to prove the ownership of a public key.

Public/Private Key Pair

A set of two keys where one is public and the other private, used for encryption and signing.

IEEE 802.1X

A standard for port-based network access control that authenticates network devices before granting full access.

Supplicant

The user or client requesting access to the network in the 802.1X framework.

Authenticator

The device that mediates between the supplicant and the authentication server, often an Ethernet switch or access point.

Authentication Server

A server, often RADIUS, that validates authentication requests and relays the access permission back to the authenticator.

Access Control List (ACL)

A set of rules that determines whether network traffic is allowed or denied on routers and firewalls.

Hovering over links

Method to check a hyperlink's legitimacy by viewing URL.

Two-Factor Authentication (2FA)

Security system that requires two forms of validation to access accounts.

Phishing Scams

Fraudulent schemes to obtain sensitive information via deceptive emails.

Deceptive Links in Emails

Links that appear legitimate but redirect to harmful sites.

Dumpster Diving

A technique where attackers search for sensitive information in discarded items.

Types of Sensitive Information

Items attackers seek, including documents and electronic devices.

Impact of Dumpster Diving

Consequences like identity theft and unauthorized access due to uncovered data.

Cross-Cut Shredders

Shredding devices that cut paper into small particles for security.

Secure Data Disposal

Methods to effectively erase or destroy data before disposal.

Organizational Disposal Policies

Guidelines for safe disposal of sensitive physical and digital items.

ICS/SCADA System Defense

A multi-layered approach to protect ICS/SCADA systems from threats.

Operational Technology (OT)

Hardware and software to manage industrial equipment in critical sectors.

Guest Networks

Isolated network segments for visitors, limiting access to internal systems.

Bring Your Own Device (BYOD)

Policy allowing employees to use personal devices for work tasks.

VLAN

Virtual Local Area Network used to segment network traffic.

Traffic Monitoring

Continuous checking of data flow for potential threats.

Deception Technologies

Tools that lure attackers to expose their methods and tactics.

Ransomware Protection

Measures to safeguard against malware attacks targeting companies.

Authentication/Authorization

Controls to ensure only permitted access to systems and data.

Study Notes

Common Security Terminology

• Vulnerability: A weakness in a system, application, or process that a threat actor exploits to gain unauthorized access or cause damage. Examples include software bugs, misconfigurations, or poor security practices.
• Threat: A potential event or actor that can exploit a vulnerability to harm a system, network, or data. Threats can be intentional (e.g., hackers, malware) or unintentional (e.g., human error, natural disasters).
• Threat Actor: An individual, group, or entity that targets systems, networks, or data by exploiting vulnerabilities to achieve malicious objectives, such as data theft, operational disruption, or unauthorized access.
• Exploit: A method or tool a threat actor uses to attack, such as malicious code, scripts, or procedures designed to compromise a target. An example is a phishing email containing a link that exploits a browser vulnerability.
• Risk: Potential loss, damage, or harm when a threat actor exploits a security breach or vulnerability. It measures the likelihood of a threat exploiting a vulnerability and its impact. Organizations assess and manage risks to determine appropriate security measures.

CIA Triad

• Confidentiality: Protecting information and ensuring only authorized subjects (users, processes, systems) can access it. A healthcare organization using encryption to secure patient medical records is an example.
• Integrity: The information will be protected against modification by unauthorized subjects. Example: An online banking system verifying transaction data integrity to prevent tampering.
• Availability: Ensuring reliable access to information when needed for authorized subjects. Example: A company implementing redundant servers and frequent data backups to maintain service availability.

Non-Repudiation

• Non-repudiation: A critical information security property. It means a subject cannot deny having performed some action, such as deleting or altering data or sending a message.

Logical Security

• Logical security: Using software and rules to protect networks, systems, and critical data from potential threats or unauthorized access. Organizations enhance security with encryption, identity and access management (IAM), digital certificates, and geofencing.
• Encryption: Transforming readable information (plaintext) into an unreadable format (ciphertext) using a mathematical algorithm and a cryptographic key. Only authorized individuals with the correct key can decrypt the information.

Encrypting Data in Transit

• Data in transit: Data in motion, either over a local or wide-area network. It can be vulnerable to eavesdropping, interception, or other unauthorized access without encryption.

• Secure protocols protect data during transmission by employing encryption standards (like AES). These also verify trusted parties.

• Protocols: TLS, SSL, and IPsec are common protocols used to secure data in transit.

Encrypting Data at Rest

• Data at rest: Digital information stored on a device and not being used or transmitted. Encryption for data at rest safeguards this information, even if the device is lost, stolen or compromised.
• Encryption can be implemented at the hardware level (e.g., self-encrypting drives [SEDs]) or software level (e.g., Windows BitLocker or macOS FileVault).

Symmetric and Asymmetric Encryption

• Symmetric encryption: Uses a single shared key for data encryption/decryption. Example: AES.
• Asymmetric encryption (public key cryptography): Uses a separate public key and corresponding private key (key pair). The public key can be freely distributed, and the private key must remain secret. Example: RSA and ECC.

Certificates

• Digital certificates: Function as electronic identification cards, proving the identity of the certificate owner and their usage purpose.
• Public Key Infrastructure (PKI): Manages the creation, distribution, and validation of digital certificates to ensure secure communications (like HTTPS for websites).

Certificate Authority (CA)

• CA: Develops, issues, and manages digital certificates, ensuring trust between entities.

Certificate Signing Request (CSR)

• CSR: An encrypted message submitted to a certificate authority requesting a digital certificate. It contains information about the requester and their public key, as well as the purpose for the request.

Certificate Revocation List (CRL)

• CRL: A list of revoked or suspended certificates maintained by the issuing certificate authority.

Self-Signed Certificates

• Self-signed certificate: An entity that signs its own certificate; not trusted by default by browsers or systems, it should never be used for safeguarding critical data.

Identity and Access Management (IAM)

• IAM: A foundational cybersecurity framework that manages and ensures the right people, devices, and things have the appropriate access to authorized resources at the correct time.

Authentication

• Authentication: Establishing if a user is indeed who they claim to be. It's essential for secure access. Weak authentication methods (username/single-password) pose high risks.

Multifactor Authentication (MFA)

• MFA: MFA enhances security by requiring multiple authentication factors.

Something You Know, Something You Have, Something You Are

• Something you know: Knowledge factor, including passwords, PINs, or swipe patterns.
• Something you have: Possession factor, including physical objects like keys, smart cards, or smartphones.
• Something you are: Inherence factor, relying on user attributes like fingerprints or iris recognition.

Hard and Soft Authentication Tokens

• Hard authentication token: A physical device that generates a token for authentication. Example: smart cards.
• Soft authentication token: A one-time password sent to the user's registered device (email or phone); examples include SMS text messages or email.

Time-Based Authentication (TOTP)

• TOTP: A commonly used time-based authentication method for generating ephemeral, unique, one-time codes, based on a shared secret and current time.

Single Sign-On (SSO)

• SSO: Authentication mechanism allowing single sign-in to resources.

Lightweight Directory Access Protocol (LDAP)

• LDAP: An open protocol for managing and accessing directory data (like user credentials) in a centralized directory.

Security Assertion Markup Language (SAML)

• SAML: An open standard for exchanging authentication and authorization data between an Identity Provider and a Service Provider (e.g., authenticating users to access cloud-based services).

Role-Based Access Control (RBAC)

• RBAC: Assigning access based on subject roles (job functions), not individual identities; administrators assign a role to an implicit permission, and all subjects assigned to a role share the same permissions.

Account Management: Provisioning and Deprovisioning

• Provisioning: Obtaining required resources or services for a specific activity, such as account creation for new employees.
• Deprovisioning: Revoking access to an account when a user leaves or their role changes.

Remote Authentication Dial-In User Service (RADIUS)

• RADIUS: A networking protocol for centralized Authentication, Authorization, and Accounting (AAA) services.

Terminal Access Controller Access Control System Plus (TACACS+)

• TACACS+: Another AAA protocol offering more granular control over user permissions than RADIUS and encrypts the entire session, not just passwords.

Geofencing

• Geofencing: A logical security technique using geographic boundaries to control access to systems, networks, or applications.

Network Segmentation Enforcement

• Network segmentation: Dividing a network into smaller, isolated segments to enhance performance, manage traffic, and protect sensitive resources.

Internet of Things (IoT) and Industrial Internet of Things (IIoT)

• IoT/IIoT: Represents a massive number of interconnected smart devices sharing data.

Supervisory Control and Data Acquisition (SCADA)

• SCADA: Monitoring and controlling industrial processes (e.g., power grids, water treatment facilities).

Denial of Service (DoS) Attacks

• DoS: Attack to make legitimate users unable to access a server

Distributed Denial of Service (DDoS) Attacks

• DDoS: Attack that originates from multiple attacker systems, coordinating to overwhelm a single target with network traffic.

Reflected and Amplified Attacks

• Attackers send forged requests to many servers. The target is overwhelmed by replies instead of actual requests. Exploits vulnerabilities in protocols to significantly increase the bandwidth of replies directed to the target.

On-Path Attacks (Man-in-the-Middle)

• On-path Attacks: Attacker intercepts communications or manipulates them on the path between two parties without their knowledge.

Wi-Fi Eavesdropping, DNS Spoofing, Session Hijacking, ARP Spoofing

• Wi-Fi eavesdropping: Monitoring public or unsecured wireless network traffic.
• DNS spoofing: Altering DNS name resolution.
• Session hijacking: Stealing session tokens.
• ARP spoofing: Associating their MAC address with a legitimate device's IP address, redirecting traffic.

MAC Filtering

• MAC filtering: A switch feature blocking/allowing devices based on their uniquely assigned MAC addresses. Prevents unauthorized devices from connecting.

802.1X

• 802.1X: A standard for port-based network access control that authenticates devices before allowing network connectivity.

Security Rules (ACLs, URL Filtering, Content Filtering)

• Access Control Lists (ACLs): Rules specifying what network traffic is allowed or denied. Examples include source/destination IP addresses and ports.
• URL Filtering: Restricting access to specific websites (URLs) in real-time.
• Content Filtering: Inspecting data packets to control access, block inappropriate content, and ensure compliance.

Zones

• Trusted Zone: Private, under the organization's administrative control. Network hosts use private IP addresses
• Untrusted Zone: Public, beyond the organization's control. Hosts use public IP addresses.

Key Management

• Key management: Processes for generating, distributing, storing, rotating, and revoking cryptographic keys. Essential for secure encrypted communications and data.

Rogue Devices and Services

• Rogue devices/services: Unauthorized devices/services connected to a network, exposing sensitive information or disrupting operations.

Social Engineering

• Social engineering: Exploiting human vulnerabilities and exploiting trust to gather or manipulate users. Attacks include phishing (emails, SMS, or phone calls), dumpster diving, shoulder surfing, tailgating, and vishing.

Description

Test your knowledge on the essential components and functions of a Public Key Infrastructure (PKI). This quiz covers the roles of Registration Authorities, Certificate Authorities, and the significance of Certificate Signing Requests and Revocation Lists. Ideal for those studying cybersecurity and digital certificates.