Podcast
Questions and Answers
What type of malware attaches itself to a host application and must be executed by the user or system?
What type of malware attaches itself to a host application and must be executed by the user or system?
- Worm
- Armored virus
- Rootkit
- Trojan (correct)
Pharming is a scamming practice where malicious code is installed on a server, redirecting users to fraudulent websites.
Pharming is a scamming practice where malicious code is installed on a server, redirecting users to fraudulent websites.
True (A)
What type of malware encrypts valuable user files?
What type of malware encrypts valuable user files?
Crypto-malware
_______ is a string of code embedded into an application or script that executes in response to a specific event.
_______ is a string of code embedded into an application or script that executes in response to a specific event.
Which protocol encrypts traffic in transit and can be used to encrypt other protocols such as FTP?
Which protocol encrypts traffic in transit and can be used to encrypt other protocols such as FTP?
Match the wireless attacks with their descriptions:
Match the wireless attacks with their descriptions:
S/MIME provides security.
S/MIME provides security.
What does LDAPS stand for and what is it used for?
What does LDAPS stand for and what is it used for?
AES is used to encrypt traffic over ___.
AES is used to encrypt traffic over ___.
Match the following email protocols with their respective ports:
Match the following email protocols with their respective ports:
What attack occurs when the hashing algorithm creates the same hash from different passwords?
What attack occurs when the hashing algorithm creates the same hash from different passwords?
What type of attack uses a dictionary of words, with variations, as passwords?
What type of attack uses a dictionary of words, with variations, as passwords?
_______-Steals the hash, uses the list of passwords to produce that hash to identify the password.
_______-Steals the hash, uses the list of passwords to produce that hash to identify the password.
Match the threat actor types with their descriptions:
Match the threat actor types with their descriptions:
A brute force attack involves guessing all possible character combinations.
A brute force attack involves guessing all possible character combinations.
What is the purpose of a Secure Baseline?
What is the purpose of a Secure Baseline?
HVAC systems have a significant impact on the confidentiality of data centers.
HVAC systems have a significant impact on the confidentiality of data centers.
Define SoC (System on a Chip).
Define SoC (System on a Chip).
________ is a process of allocating resources based on demand.
________ is a process of allocating resources based on demand.
Match the following cloud deployment models with their descriptions:
Match the following cloud deployment models with their descriptions:
What is the main purpose of IKE Phase 1?
What is the main purpose of IKE Phase 1?
Aggressive mode in IKE Phase 1 is slower but more secure than Main mode.
Aggressive mode in IKE Phase 1 is slower but more secure than Main mode.
What does ESP stand for in IPsec protocols?
What does ESP stand for in IPsec protocols?
In IPSec, _____ provides authentication for the data and the IP header of a packet using one-way hash.
In IPSec, _____ provides authentication for the data and the IP header of a packet using one-way hash.
Match the IPSec Protocol with its description:
Match the IPSec Protocol with its description:
What does NAC stand for?
What does NAC stand for?
What tool is used to capture, display, and analyze packets sent over a network?
What tool is used to capture, display, and analyze packets sent over a network?
SSL decryptors use a man-in-the-middle technique to open and re-encrypt SSL/TLS traffic.
SSL decryptors use a man-in-the-middle technique to open and re-encrypt SSL/TLS traffic.
Mobile device management can restrict what ____________ can be installed and prevent unapproved applications.
Mobile device management can restrict what ____________ can be installed and prevent unapproved applications.
Match the following connection methods with their descriptions:
Match the following connection methods with their descriptions:
Which RAID level is block-striped with error check and provides high availability?
Which RAID level is block-striped with error check and provides high availability?
What is the primary purpose of a Faraday Cage in a data center?
What is the primary purpose of a Faraday Cage in a data center?
Match the following access control model with its description:
Match the following access control model with its description:
NTLM is a legacy protocol that has been replaced by Kerberos.
NTLM is a legacy protocol that has been replaced by Kerberos.
______ is an improvement over RADIUS and uses EAP for better security.
______ is an improvement over RADIUS and uses EAP for better security.
Which authentication method uses a combination of a secret key and an incrementing counter for generating one-time passwords?
Which authentication method uses a combination of a secret key and an incrementing counter for generating one-time passwords?
What is the purpose of capturing video in a forensic investigation?
What is the purpose of capturing video in a forensic investigation?
Which backup type backs up all selected data?
Which backup type backs up all selected data?
Data sovereignty implies that data originating within a country must be stored outside that country.
Data sovereignty implies that data originating within a country must be stored outside that country.
______ is a process for moving from a normal operational capability to the continuity-of-operations version of the business.
______ is a process for moving from a normal operational capability to the continuity-of-operations version of the business.
Match the location selection with the appropriate description:
Match the location selection with the appropriate description:
What does TOTP stand for and how does it differ from HOTP?
What does TOTP stand for and how does it differ from HOTP?
Which type of accounts should not be used to ensure IAAA (Identification, Authentication, Authorization, and Accountability) can be implemented?
Which type of accounts should not be used to ensure IAAA (Identification, Authentication, Authorization, and Accountability) can be implemented?
Standard Operating Procedures (SOPs) are step-by-step instructions that employees can use to perform uncommon tasks.
Standard Operating Procedures (SOPs) are step-by-step instructions that employees can use to perform uncommon tasks.
_______ identifies potential risks related to Personally Identifiable Information (PII) to ensure compliance with laws and regulations.
_______ identifies potential risks related to Personally Identifiable Information (PII) to ensure compliance with laws and regulations.
Match the following Risk Management concepts with their definitions:
Match the following Risk Management concepts with their definitions:
What is an Armored virus designed to do?
What is an Armored virus designed to do?
Social Engineering may involve tactics like Whaling and Vishing.
Social Engineering may involve tactics like Whaling and Vishing.
What is the primary purpose of a Keylogger?
What is the primary purpose of a Keylogger?
What type of software learns users' habits for targeted advertising? ______________
What type of software learns users' habits for targeted advertising? ______________
Match the wireless attack type with its description:
Match the wireless attack type with its description:
What is NAC used for?
What is NAC used for?
What does SSL decryptors do?
What does SSL decryptors do?
Containerization isolates and protects applications and their data.
Containerization isolates and protects applications and their data.
______ is a protocol analyzer that captures, displays, and analyzes network packets.
______ is a protocol analyzer that captures, displays, and analyzes network packets.
Match the mobile device connection methods with their descriptions:
Match the mobile device connection methods with their descriptions:
Which type of attack occurs when the hashing algorithm creates the same hash from different passwords?
Which type of attack occurs when the hashing algorithm creates the same hash from different passwords?
What are Rainbow tables used for?
What are Rainbow tables used for?
Hackers use _______ attack to guess all possible character combinations.
Hackers use _______ attack to guess all possible character combinations.
In a collision attack, the attacker steals the hash and uses a list of passwords to find the matching one.
In a collision attack, the attacker steals the hash and uses a list of passwords to find the matching one.
Match the following network security tools with their functions:
Match the following network security tools with their functions:
What is the purpose of a VPN concentrator?
What is the purpose of a VPN concentrator?
Which protocols are used for protecting user data in IPsec?
Which protocols are used for protecting user data in IPsec?
What is the purpose of IKE Phase 1 in IPsec?
What is the purpose of IKE Phase 1 in IPsec?
Aggressive mode in IKE Phase 1 is more secure than Main mode.
Aggressive mode in IKE Phase 1 is more secure than Main mode.
What is the purpose of a Split tunnel in VPNs?
What is the purpose of a Split tunnel in VPNs?
______ provides authentication for the data and the IP header of a packet in IPsec using a one-way hash.
______ provides authentication for the data and the IP header of a packet in IPsec using a one-way hash.
What does LDAPS stand for and what port is it commonly used on?
What does LDAPS stand for and what port is it commonly used on?
Which protocol uses port 22 for file transfer and encryption?
Which protocol uses port 22 for file transfer and encryption?
TLS has replaced SSL for securing traffic on the internet.
TLS has replaced SSL for securing traffic on the internet.
Secure POP3 commonly uses port 995, whereas IMAP4 with SSL uses port ____.
Secure POP3 commonly uses port 995, whereas IMAP4 with SSL uses port ____.
Match the protocol with its primary usage:
Match the protocol with its primary usage:
What is the purpose of a parity drive in RAID 5?
What is the purpose of a parity drive in RAID 5?
Explain the purpose of a Faraday Cage in physical security.
Explain the purpose of a Faraday Cage in physical security.
Key cards are more secure than metallic keys because they can be remotely revoked. True or False?
Key cards are more secure than metallic keys because they can be remotely revoked. True or False?
LDAP stands for Lightweight Directory ________ Protocol.
LDAP stands for Lightweight Directory ________ Protocol.
Match the biometric factor with its corresponding description:
Match the biometric factor with its corresponding description:
What does a Secure baseline document specify?
What does a Secure baseline document specify?
Integrity measurement involves monitoring whether an application, system, or service complies with the security baseline.
Integrity measurement involves monitoring whether an application, system, or service complies with the security baseline.
SCADA/ICS stands for Industrial Control System and is controlled by a Supervisory Control and ________.
SCADA/ICS stands for Industrial Control System and is controlled by a Supervisory Control and ________.
What is the core engine of Smart devices/IoT often based on?
What is the core engine of Smart devices/IoT often based on?
Match the development life-cycle model with its description:
Match the development life-cycle model with its description:
What is the abbreviation for 'Time based OTP'?
What is the abbreviation for 'Time based OTP'?
Which system is used by the Department of Defense (DOD) for military personnel and contractors?
Which system is used by the Department of Defense (DOD) for military personnel and contractors?
Two-phase commit ensures that if a portion of a transaction cannot complete, the entire transaction is still performed.
Two-phase commit ensures that if a portion of a transaction cannot complete, the entire transaction is still performed.
______ is a technical control where users or processes are granted only those rights and permissions needed to perform their assigned tasks or functions.
______ is a technical control where users or processes are granted only those rights and permissions needed to perform their assigned tasks or functions.
Match the following concepts with their descriptions:
Match the following concepts with their descriptions:
What is the purpose of taking hashes in digital forensics?
What is the purpose of taking hashes in digital forensics?
What is the main purpose of witness interviews in digital forensics?
What is the main purpose of witness interviews in digital forensics?
What does DRP (disaster recovery plan) include?
What does DRP (disaster recovery plan) include?
______ captures the data at a point in time and is a fast way to restore the system.
______ captures the data at a point in time and is a fast way to restore the system.
Failover involves moving from normal operations to the business continuity version of the organization.
Failover involves moving from normal operations to the business continuity version of the organization.
What is the primary objective of fault tolerance in a system or service?
What is the primary objective of fault tolerance in a system or service?
What is the main purpose of a RAID 1 configuration?
What is the main purpose of a RAID 1 configuration?
What is the primary function of a mantrap in a data center?
What is the primary function of a mantrap in a data center?
What is the purpose of a Faraday Cage in a data center?
What is the purpose of a Faraday Cage in a data center?
What is the primary benefit of using a redundant system design?
What is the primary benefit of using a redundant system design?
What is the primary purpose of using signs in a physical security context?
What is the primary purpose of using signs in a physical security context?
What is the primary benefit of using a distributed allocation system?
What is the primary benefit of using a distributed allocation system?
What is the primary purpose of a lock in a physical security context?
What is the primary purpose of a lock in a physical security context?
What is the primary function of an air gap in a physical security context?
What is the primary function of an air gap in a physical security context?
What is the primary benefit of using RAID 5 configuration?
What is the primary benefit of using RAID 5 configuration?
Study Notes
Threats, Attacks, and Vulnerabilities
Malware
- Viruses: attach themselves to a host application
- Types:
- Sparse infector virus: behaves sporadically and unpredictably
- Multipartite virus: can infect both program files and the boot sector
- Stealth virus: uses multiple techniques to evade detection
- Types:
- Worms: self-replicating malware that travels through a network without host application or user interaction
- Armored virus: makes it difficult to reverse-engineer
- Crypto-malware: encrypts valuable user files (e.g., ransomware)
- Trojans: appear to be useful but contain a malicious component
- Rootkits: have root-level or kernel-level access, can modify system files and system access
- Keyloggers: keep track of every keystroke
- Adware: learns user habits for targeted advertising (e.g., pop-ups)
- Spyware: monitors user computer activity and sends information to a third party
- Bots: multiple computers acting as software robots, functioning together in a network for malicious purposes (e.g., sending spam, launching DDoS)
- Logic bombs: strings of code embedded into an application or script, execute in response to an event or specific time
- Backdoors: provide another way of accessing a system, often created by malware
Social Engineering
- Pharming: misdirecting users to fraudulent websites without their knowledge or consent
- Phishing: emailing users to trick them into revealing personal information or clicking a malicious link
- Spimming: phishing using instant messages (e.g., Facebook Messenger)
- Spear phishing: targeted form of phishing, sending emails to specific users or groups
- Whaling: targeting high-level executives with phishing attacks
- Vishing: phishing using phone calls
- Tailgating: following an employee through a door without showing credentials
- Impersonation: identity theft
- Dumpster diving: searching through trash to gain information from discarded documents
- Shoulder surfing: looking over someone's shoulder to obtain sensitive information
- Hoax: false message, often an email claiming a virus exists and encouraging deletion of files or changing system configuration
- Watering hole attack: infecting a website frequently visited by the target group with malware
Types of Attacks
- DoS (Denial of Service): disrupting services provided by another system
- DDoS (Distributed Denial of Service): attack from multiple computers to a single target
- Man-in-the-Middle (MitM): intercepting and modifying communications between two parties
- Buffer overflow: exploiting an application that receives more data than it can handle
- Injection: inserting malicious code or input to alter system behavior
- Cross-site Scripting (XSS): injecting malicious scripts into a website
- Cross-Site Request Forgery (CSRF): tricking users into performing unintended actions on a web application
- Privilege Escalation: exploiting a programming flaw or buffer overflow to gain admin-level or root-level access
- ARP Poisoning: modifying the ARP cache to redirect traffic
- DNS Poisoning: modifying DNS records to redirect users to malicious websites
- Domain Hijacking: taking control of a domain name without authorization
- Man-in-the-Browser: intercepting and modifying communications between a browser and a website
- Zero-day Exploit: exploiting an undocumented or unknown vulnerability
- Replay Attack: capturing and re-transmitting data to impersonate one party in a session
- Pass-the-Hash: capturing password hashes and using them to authenticate
Threat Actor Types and Attributes
- Script Kiddies: novice hackers using existing tools and scripts
- Hacktivists: using hacking to convey a social or political message
- Organized Crime: monetizing hacking efforts
- Nation States/APT (Advanced Persistent Threat): elite hackers conducting information warfare
- Insiders: employees or contractors with authorized access to an organization
- Competitors: using hacking to gain an advantage
- Attributes:
- Internal/External
- Level of sophistication
- Resources/Funding
- Intent/Motivation
- Use of Open-Source Intelligence (OSINT)### Network Security Threats
- Improper input validation can lead to memory overflow, pointer dereference, and unexpected results.
- DLL injection can add malicious functionality to a system.
- System sprawl and undocumented assets can allow attackers to traverse the network more easily.
- New threats and zero-day attacks can exploit unknown vulnerabilities.
- Improper certificate and key management can lead to data insecurity.
Firewalls
- A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- A dual-homed firewall is a firewall with two network interfaces.
- ACLs (Access Control Lists) identify what traffic is allowed and what is blocked based on networks, subnets, IP addresses, ports, and some protocols.
- Packet filtering firewalls are based on ACLs and only examine the packet header.
- Application-based firewalls are installed on a host and can analyze traffic on a deeper level.
- Stateful firewalls inspect traffic and make decisions based on the context or state of the traffic.
- Stateless firewalls use ACLs to make decisions.
VPNs
- A VPN (Virtual Private Network) provides a means of cryptographically securing a communication channel.
- A VPN concentrator is the endpoint for VPN activity.
- Remote access VPNs allow a remote host to connect to a network.
- Site-to-site VPNs connect two networks from remote sites.
- TLS (Transport Layer Security) provides Layer 6 encryption services for Layer 7 applications.
- SSL Portal VPNs are used to securely access the web from a browser.
- SSL Tunnel VPNs allow secure access to applications and other network services.
IPSec
- IPSec (Internet Protocol Security) is an encryption protocol that defines the rules for encryption, authentication, and key management for TCP/IP transmissions.
- IKE (Internet Key Exchange) is a hybrid protocol that negotiates, establishes, modifies, and deletes security associations.
- IKE uses IKE phase 1 to establish a secure authenticated communication channel and IKE phase 2 to negotiate IPsec security associations.
- IPSec protocols include AH (Authentication Header) and ESP (Encapsulating Security Payload).
VPN Modes
- Split tunneling routes only some traffic through the VPN.
- Full tunneling encrypts all traffic, including internet traffic.
- Always-on VPNs self-configure and connect once an internet connection is sensed.
NIPS/NIDS
- NIPS (Network-based Intrusion Prevention System) and NIDS (Network-based Intrusion Detection System) analyze traffic in the network.
- NIPS can stop traffic if it detects a signature match or anomaly.
- NIDS can alert the admin of suspicious connections or potential threats.
- Anomaly-based detection can detect a wide range of zero-day attacks.
Router Security
- ACLs can be used to identify what traffic is allowed and what is blocked.
- Anti-spoofing can be used to prevent spoofing attacks.
- NAT (Network Address Translation) can be used to hide internal IP addresses.
- Port security can be used to disable unused ports and limit the number of MAC addresses per port.
Switch Security
- Port security can be used to disable unused ports and limit the number of MAC addresses per port.
- Loop prevention can be used to prevent switching loops.
- Flood guard can be used to detect and block traffic to prevent flooding attacks.
Proxy Servers
- A proxy server acts as an Internet gateway, firewall, and Internet caching server for a private network.
- Forward proxy forwards requests for services from clients.
- Reverse proxy receives requests on behalf of clients.
- Transparent proxy accepts and forwards requests without modifying them.
- Load balancers can be used to distribute traffic across multiple servers.
Access Points
- SSID (Service Set Identifier) identifies the name of a wireless network.
- MAC filtering can be used to block unauthorized devices.
- Signal strength can be used to determine the distance and quality of a wireless connection.
- Antenna types and placement can affect the quality of a wireless connection.
SIEM
- SIEM (Security Information and Event Management) classifies and analyzes security data from numerous sources.
- Time synchronization can be used to correlate events across the entire enterprise.
- Aggregation can be used to collect information in a central place.
- Correlation can be used to connect events based on time, common events, and behavior.
- Automated alerting and triggers can be used to issue alerts or react to events.
DLP
- DLP (Data Loss Prevention) detects and blocks data loss.
- USB blocking can be used to prevent data loss.
- Cloud-based DLP detects and blocks data moved to the cloud.
- Email DLP detects and blocks data loss via email.
NAC
- NAC (Network Access Control) uses agents to inspect clients for health.
- Agent code can be stored in the host machine or deployed to memory.
- Permanent agents are pre-deployed to the endpoints.
- Dissolvable agents are deployed when needed and removed after use.
- Host health checks can be used to restrict access to unhealthy clients.
Other Security Tools
- Protocol analyzers capture, display, and analyze packets sent over a network.
- Network scanners search for live hosts, open ports, and TCP/UDP services.
- Rogue system detection helps detect unknown devices on a network.
- Vulnerability scanners recognize weaknesses like open ports, weak passwords, and default accounts and passwords.
- Configuration compliance scanners establish a baseline configuration and set to measure deviations.
- Exploitation frameworks assist with the tasks associated with exploiting vulnerabilities.
- Data sanitization tools destroy or purge a system before retiring and disposing of it.
- Steganography tools hide messages in images, videos, or audio files.
- Honeypots divert attackers from live networks.
- Backup utilities back up critical data.### Network Security Fundamentals
- ARP (Address Resolution Protocol) is used to identify MAC addresses from IP addresses.
ipconfig
/ip
/ifconfig
shows TCP/IP configuration, including IP address, subnet mask, default gateway, MAC address, and DNS server.tcpdump
is a command-line packet analyzer for Linux, similar to Wireshark.nmap
is a network scanner that identifies active hosts, addresses, protocols, and services running on each host, as well as the OS of the host.
Troubleshooting Common Security Issues
- Unencrypted credentials/clear text: avoid using obsolete protocols that transfer passwords in clear text.
- Log and event anomalies: record event anomalies and decide what to log and what not to log.
- Permission issues: outdated user rights lists can create permission issues.
- Access violations: should be logged and alerted.
- Certificate issues: occur when a user attempts to use a certificate that lacks a complete chain of trust back to a trusted root.
- Data exfiltration: attacker attempts to steal data.
Analyze and Interpret Output from Security Technologies
- HIDS/HIPS: alert on behaviors based on signatures.
- Antivirus: alerts, prevents, and logs malicious attack attempts.
- File Integrity check: compares the original hash and calculated hash.
- Host-based firewall: firewall in the host machine.
- Application whitelisting: only allows special applications to be installed.
- Removable media control: prevents data exfiltration using encryption technology.
- Advanced malware tools: specialized malware removal and recovery tools.
- Patch management tools: help patch OS and applications.
- UTM: all-in-one security, acting as a firewall, IDS/IPS, anti-malware, anti-spam, and content filtering.
- DLP: detects and prevents data transfer.
- Data execution prevention: OS works with the CPU to prevent programs from executing in certain parts of memory.
Deploy Mobile Devices Securely
- Connection methods: cellular, Wi-Fi, SATCOM, Bluetooth, NFC, Infrared, and USB.
- Mobile device management concepts: application management, content management, remote wipe, geofencing, geolocation, screen locks, push notification services, passwords and pins, biometrics, context-aware authentication, containerization, storage segmentation, and full device encryption.
Implement Secure Protocols
- Protocols: DNSSEC, SSH, S/MIME, SRTP, LDAPS, SFTP, FTPS, SNMPv3, SSL, TLS, and HTTPS.
- DNSSEC: prevents DNS cache poisoning by providing validation for DNS responses.
- SSH: encrypts traffic in transit and can be used to encrypt other protocols.
- S/MIME: provides encryption and authentication for email.
Architecture and Design
- Frameworks: industry-standard frameworks, regulatory frameworks, national frameworks, and industry-specific frameworks.
- Secure configuration guides: CIS, OWASP, and vendor-specific guides.
- Defense-in-depth/Layered security: implementing multiple layers of protection.
- Vendor diversity: implementing security controls from different vendors.
- Control diversity: using different security control types.
Implement Secure Network Architecture Concepts
- Zones/topologies: DMZ, extranet, intranet, wireless, guest, and honeynets.
- Segregation/segmentation/isolation: physical, logical (VLAN), virtualization, and air gaps.
- Tunneling/VPN: site-to-site, remote access, and IPSec.
- Security device/technology placement: sensors, collectors, correlation engines, filters, proxies, firewalls, VPN concentrators, SSL accelerators, load balancers, and DDoS mitigators.
- SDN: uses virtualization technologies to route traffic instead of using hardware routers and switches.
Threats, Attacks, and Vulnerabilities
Malware
- Viruses: attach themselves to a host application
- Types:
- Sparse infector virus: behaves sporadically and unpredictably
- Multipartite virus: can infect both program files and the boot sector
- Stealth virus: uses multiple techniques to evade detection
- Types:
- Worms: self-replicating malware that travels through a network without host application or user interaction
- Armored virus: makes it difficult to reverse-engineer
- Crypto-malware: encrypts valuable user files (e.g., ransomware)
- Trojans: appear to be useful but contain a malicious component
- Rootkits: have root-level or kernel-level access, can modify system files and system access
- Keyloggers: keep track of every keystroke
- Adware: learns user habits for targeted advertising (e.g., pop-ups)
- Spyware: monitors user computer activity and sends information to a third party
- Bots: multiple computers acting as software robots, functioning together in a network for malicious purposes (e.g., sending spam, launching DDoS)
- Logic bombs: strings of code embedded into an application or script, execute in response to an event or specific time
- Backdoors: provide another way of accessing a system, often created by malware
Social Engineering
- Pharming: misdirecting users to fraudulent websites without their knowledge or consent
- Phishing: emailing users to trick them into revealing personal information or clicking a malicious link
- Spimming: phishing using instant messages (e.g., Facebook Messenger)
- Spear phishing: targeted form of phishing, sending emails to specific users or groups
- Whaling: targeting high-level executives with phishing attacks
- Vishing: phishing using phone calls
- Tailgating: following an employee through a door without showing credentials
- Impersonation: identity theft
- Dumpster diving: searching through trash to gain information from discarded documents
- Shoulder surfing: looking over someone's shoulder to obtain sensitive information
- Hoax: false message, often an email claiming a virus exists and encouraging deletion of files or changing system configuration
- Watering hole attack: infecting a website frequently visited by the target group with malware
Types of Attacks
- DoS (Denial of Service): disrupting services provided by another system
- DDoS (Distributed Denial of Service): attack from multiple computers to a single target
- Man-in-the-Middle (MitM): intercepting and modifying communications between two parties
- Buffer overflow: exploiting an application that receives more data than it can handle
- Injection: inserting malicious code or input to alter system behavior
- Cross-site Scripting (XSS): injecting malicious scripts into a website
- Cross-Site Request Forgery (CSRF): tricking users into performing unintended actions on a web application
- Privilege Escalation: exploiting a programming flaw or buffer overflow to gain admin-level or root-level access
- ARP Poisoning: modifying the ARP cache to redirect traffic
- DNS Poisoning: modifying DNS records to redirect users to malicious websites
- Domain Hijacking: taking control of a domain name without authorization
- Man-in-the-Browser: intercepting and modifying communications between a browser and a website
- Zero-day Exploit: exploiting an undocumented or unknown vulnerability
- Replay Attack: capturing and re-transmitting data to impersonate one party in a session
- Pass-the-Hash: capturing password hashes and using them to authenticate
Threat Actor Types and Attributes
- Script Kiddies: novice hackers using existing tools and scripts
- Hacktivists: using hacking to convey a social or political message
- Organized Crime: monetizing hacking efforts
- Nation States/APT (Advanced Persistent Threat): elite hackers conducting information warfare
- Insiders: employees or contractors with authorized access to an organization
- Competitors: using hacking to gain an advantage
- Attributes:
- Internal/External
- Level of sophistication
- Resources/Funding
- Intent/Motivation
- Use of Open-Source Intelligence (OSINT)### Network Security Threats
- Improper input validation can lead to memory overflow, pointer dereference, and unexpected results.
- DLL injection can add malicious functionality to a system.
- System sprawl and undocumented assets can allow attackers to traverse the network more easily.
- New threats and zero-day attacks can exploit unknown vulnerabilities.
- Improper certificate and key management can lead to data insecurity.
Firewalls
- A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- A dual-homed firewall is a firewall with two network interfaces.
- ACLs (Access Control Lists) identify what traffic is allowed and what is blocked based on networks, subnets, IP addresses, ports, and some protocols.
- Packet filtering firewalls are based on ACLs and only examine the packet header.
- Application-based firewalls are installed on a host and can analyze traffic on a deeper level.
- Stateful firewalls inspect traffic and make decisions based on the context or state of the traffic.
- Stateless firewalls use ACLs to make decisions.
VPNs
- A VPN (Virtual Private Network) provides a means of cryptographically securing a communication channel.
- A VPN concentrator is the endpoint for VPN activity.
- Remote access VPNs allow a remote host to connect to a network.
- Site-to-site VPNs connect two networks from remote sites.
- TLS (Transport Layer Security) provides Layer 6 encryption services for Layer 7 applications.
- SSL Portal VPNs are used to securely access the web from a browser.
- SSL Tunnel VPNs allow secure access to applications and other network services.
IPSec
- IPSec (Internet Protocol Security) is an encryption protocol that defines the rules for encryption, authentication, and key management for TCP/IP transmissions.
- IKE (Internet Key Exchange) is a hybrid protocol that negotiates, establishes, modifies, and deletes security associations.
- IKE uses IKE phase 1 to establish a secure authenticated communication channel and IKE phase 2 to negotiate IPsec security associations.
- IPSec protocols include AH (Authentication Header) and ESP (Encapsulating Security Payload).
VPN Modes
- Split tunneling routes only some traffic through the VPN.
- Full tunneling encrypts all traffic, including internet traffic.
- Always-on VPNs self-configure and connect once an internet connection is sensed.
NIPS/NIDS
- NIPS (Network-based Intrusion Prevention System) and NIDS (Network-based Intrusion Detection System) analyze traffic in the network.
- NIPS can stop traffic if it detects a signature match or anomaly.
- NIDS can alert the admin of suspicious connections or potential threats.
- Anomaly-based detection can detect a wide range of zero-day attacks.
Router Security
- ACLs can be used to identify what traffic is allowed and what is blocked.
- Anti-spoofing can be used to prevent spoofing attacks.
- NAT (Network Address Translation) can be used to hide internal IP addresses.
- Port security can be used to disable unused ports and limit the number of MAC addresses per port.
Switch Security
- Port security can be used to disable unused ports and limit the number of MAC addresses per port.
- Loop prevention can be used to prevent switching loops.
- Flood guard can be used to detect and block traffic to prevent flooding attacks.
Proxy Servers
- A proxy server acts as an Internet gateway, firewall, and Internet caching server for a private network.
- Forward proxy forwards requests for services from clients.
- Reverse proxy receives requests on behalf of clients.
- Transparent proxy accepts and forwards requests without modifying them.
- Load balancers can be used to distribute traffic across multiple servers.
Access Points
- SSID (Service Set Identifier) identifies the name of a wireless network.
- MAC filtering can be used to block unauthorized devices.
- Signal strength can be used to determine the distance and quality of a wireless connection.
- Antenna types and placement can affect the quality of a wireless connection.
SIEM
- SIEM (Security Information and Event Management) classifies and analyzes security data from numerous sources.
- Time synchronization can be used to correlate events across the entire enterprise.
- Aggregation can be used to collect information in a central place.
- Correlation can be used to connect events based on time, common events, and behavior.
- Automated alerting and triggers can be used to issue alerts or react to events.
DLP
- DLP (Data Loss Prevention) detects and blocks data loss.
- USB blocking can be used to prevent data loss.
- Cloud-based DLP detects and blocks data moved to the cloud.
- Email DLP detects and blocks data loss via email.
NAC
- NAC (Network Access Control) uses agents to inspect clients for health.
- Agent code can be stored in the host machine or deployed to memory.
- Permanent agents are pre-deployed to the endpoints.
- Dissolvable agents are deployed when needed and removed after use.
- Host health checks can be used to restrict access to unhealthy clients.
Other Security Tools
- Protocol analyzers capture, display, and analyze packets sent over a network.
- Network scanners search for live hosts, open ports, and TCP/UDP services.
- Rogue system detection helps detect unknown devices on a network.
- Vulnerability scanners recognize weaknesses like open ports, weak passwords, and default accounts and passwords.
- Configuration compliance scanners establish a baseline configuration and set to measure deviations.
- Exploitation frameworks assist with the tasks associated with exploiting vulnerabilities.
- Data sanitization tools destroy or purge a system before retiring and disposing of it.
- Steganography tools hide messages in images, videos, or audio files.
- Honeypots divert attackers from live networks.
- Backup utilities back up critical data.### Network Security Fundamentals
- ARP (Address Resolution Protocol) is used to identify MAC addresses from IP addresses.
ipconfig
/ip
/ifconfig
shows TCP/IP configuration, including IP address, subnet mask, default gateway, MAC address, and DNS server.tcpdump
is a command-line packet analyzer for Linux, similar to Wireshark.nmap
is a network scanner that identifies active hosts, addresses, protocols, and services running on each host, as well as the OS of the host.
Troubleshooting Common Security Issues
- Unencrypted credentials/clear text: avoid using obsolete protocols that transfer passwords in clear text.
- Log and event anomalies: record event anomalies and decide what to log and what not to log.
- Permission issues: outdated user rights lists can create permission issues.
- Access violations: should be logged and alerted.
- Certificate issues: occur when a user attempts to use a certificate that lacks a complete chain of trust back to a trusted root.
- Data exfiltration: attacker attempts to steal data.
Analyze and Interpret Output from Security Technologies
- HIDS/HIPS: alert on behaviors based on signatures.
- Antivirus: alerts, prevents, and logs malicious attack attempts.
- File Integrity check: compares the original hash and calculated hash.
- Host-based firewall: firewall in the host machine.
- Application whitelisting: only allows special applications to be installed.
- Removable media control: prevents data exfiltration using encryption technology.
- Advanced malware tools: specialized malware removal and recovery tools.
- Patch management tools: help patch OS and applications.
- UTM: all-in-one security, acting as a firewall, IDS/IPS, anti-malware, anti-spam, and content filtering.
- DLP: detects and prevents data transfer.
- Data execution prevention: OS works with the CPU to prevent programs from executing in certain parts of memory.
Deploy Mobile Devices Securely
- Connection methods: cellular, Wi-Fi, SATCOM, Bluetooth, NFC, Infrared, and USB.
- Mobile device management concepts: application management, content management, remote wipe, geofencing, geolocation, screen locks, push notification services, passwords and pins, biometrics, context-aware authentication, containerization, storage segmentation, and full device encryption.
Implement Secure Protocols
- Protocols: DNSSEC, SSH, S/MIME, SRTP, LDAPS, SFTP, FTPS, SNMPv3, SSL, TLS, and HTTPS.
- DNSSEC: prevents DNS cache poisoning by providing validation for DNS responses.
- SSH: encrypts traffic in transit and can be used to encrypt other protocols.
- S/MIME: provides encryption and authentication for email.
Architecture and Design
- Frameworks: industry-standard frameworks, regulatory frameworks, national frameworks, and industry-specific frameworks.
- Secure configuration guides: CIS, OWASP, and vendor-specific guides.
- Defense-in-depth/Layered security: implementing multiple layers of protection.
- Vendor diversity: implementing security controls from different vendors.
- Control diversity: using different security control types.
Implement Secure Network Architecture Concepts
- Zones/topologies: DMZ, extranet, intranet, wireless, guest, and honeynets.
- Segregation/segmentation/isolation: physical, logical (VLAN), virtualization, and air gaps.
- Tunneling/VPN: site-to-site, remote access, and IPSec.
- Security device/technology placement: sensors, collectors, correlation engines, filters, proxies, firewalls, VPN concentrators, SSL accelerators, load balancers, and DDoS mitigators.
- SDN: uses virtualization technologies to route traffic instead of using hardware routers and switches.
Social Engineering Principles
- Authority: Respect for authority figures is used to manipulate individuals
- Intimidation: Bullying tactics are used to create fear and compliance
- Scarcity: Limited-time offers or exclusive deals create a sense of urgency
- Consensus: Fake reviews or testimonials are used to build trust
- Familiarity: People are more likely to trust someone they like or have a connection with
- Shoulder surfing and tailgating: Using social engineering to gain physical access to restricted areas
- Trust: Building trust to gain access or manipulate individuals
- Urgency: Creating a sense of urgency to prompt action
Application/Service Attacks
- DoS: Attack from a single source to disrupt services
- DDoS: Attack from multiple computers to a single target
- Man-in-the-Middle: Using a separate computer to intercept, read, and modify traffic
- Buffer overflow: Overflowing a buffer with malicious data to crash or compromise systems
- Use of patches and input validation to prevent buffer overflow attacks
Vulnerability Identification
- Identifying weaknesses: Open ports, weak passwords, default accounts, and security/configuration errors
- Identifying lack of security controls: Missing security controls, outdated patches, and lack of antivirus software
- Identifying common misconfigurations: Incorrectly configured ports, weak protocols, and incorrect configuration of networking devices
- Intrusive vs. non-intrusive testing: Scanning for vulnerabilities vs. simulating attacks to identify vulnerabilities
- Credentialed vs. non-credentialed testing: Scanning with admin privileges vs. gaining admin access using escalation techniques
Impact of Vulnerabilities
- Race conditions: When two or more applications attempt to access a resource at the same time
- Vulnerabilities due to End-of-life systems, embedded systems, and lack of vendor support
- Use of third-party source code escrow to gain access to source code when vendors go out of business
Network Access Control (NAC)
- Agent vs. agentless: Agent code stored on the host machine vs. code residing on the network
- Permanent vs. dissolvable agents: Pre-deployed agents vs. deployed when needed and removed after use
- Host health checks: Inspecting clients for health, including up-to-date antivirus software and restricting access to unhealthy clients
Mail Gateway Security
- Spam filter: Blocking spam using solutions like Appriver and Mimecast
- DLP: Implementing Data Loss Prevention policy to prevent data leaks
- Encryption: Encrypting mail traffic using solutions like PGP and S/MIME
Network Segregation and Encryption
- Bridge: Network segregating device operating in layer 2
- SSL/TLS accelerators: Using transparent devices to encrypt traffic instead of larger web servers
- SSL decryptors: Opening SSL/TLS traffic using man-in-the-middle technique and re-encrypting it
Hardware Security Modules
- Managing and storing encryption keys
Deploying Mobile Devices Securely
- Connection methods: Cellular, Wi-Fi, SATCOM, Bluetooth, NFC, ANT, and Infrared
- Mobile device management concepts: Application management, content management, remote wipe, and distributive allocation
- Redundancy and fault tolerance: Designing systems to remain operational with minimal downtime
Physical Security Controls
- Lighting: Allowing observation of people and activities
- Signs: Visual cues to keep people away from restricted areas
- Fencing/gate/cage: Building a perimeter to restrict access
- Security guards: Monitoring and controlling access to restricted areas
- Alarms: Providing accurate and useful alerts
- Safe and secure cabinets/enclosures: Physically securing equipment and data
- Protected distribution/protected cabling: Securing cables to prevent tapping and DoS
- Air gap: Isolating an entity to separate it from everything else
- Mantrap: Preventing tailgating and controlling access to data centers
- Faraday Cage: Preventing illicit monitoring of computer systems through Van Eck emissions
- Lock types: Using smart locks and cipher locks that can be programmable
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
Learn about the different types of malware, including viruses, worms, and armored viruses. Understand their characteristics and behaviors.