1
Q
premises access
A
- fencing
- bollard posts (protect buildings from vehicles)
- lighting
- locked gates
- security guards
- guard dogs
- limited access to areas of a facility
- motion-sensing security systems
- security cameras
- key codes/card readers
2
Q
mantraps
A
- vestibule where 2nd inner door opens only after 1st outer door has closed
- only space for 1 person between doors
3
Q
internal security controls
A
- clean desk policy
- locking up sensitive documents
4
Q
card-based access
A
- RFID cards to control access
- less secure than smartcards (payment cards)
5
Q
human security element
A
- strict hiring/background check policies
- segregation of duties
- user awareness/training
6
Q
authentication
A
- prove identity of users/devices/services/applications
- username/password
- PKI
- successful authentication required be access granted
7
Q
identity federation
A
- provide single centralized identity store
- can be replicated to multiple servers
- trust tokens issued from trusted identity store
- tokens contain claims
- enables SSO
- Microsoft active directory federation services (ADFS)
- Shibboleth (open source)
8
Q
claims (security tokens)
A
- assertions about user/device
- different apps consume different claims
- provide different scopes of access depending on claim values
9
Q
configuring authentication between on-premise/cloud environments
A
- identity federation
- replicating on-premise directory services to cloud-based directory service
10
Q
something you know
A
- security measures stored in user’s head
- usernames/passwords
- security questions
- single-factor authentication
- password policies
11
Q
something you have
A
- physical possession of security device
- smartcard/hardware token/MFA application
- PKI security certificate
- multi-factor authentication
12
Q
OTP
A
- one-time password
- never the same
- used for single authentication session
13
Q
something you are
A
- biometric authentication
- can expand existing systems to accept biometric authentication (i.e. AD)
14
Q
logical access control
A
- mechanisms to secure authentication/authorization to use network resources
- smart cards
- adding users to web app roles to control app access
- managing individual users on large scale is difficult
- auditing individual users reduces information overload
15
Q
security groups
A
- create group following organization standards
- grant resource permissions to group
- add members to group
- Microsoft AD users need to log off/back in to pick up changes
- groups are managed statically
16
Q
distribution groups
A
- designed for use by email systems
- can’t be assigned permissions
17
Q
DAC
A
- Windows server dynamic access control
- built into OS
- examines user/device AD attributes to determine access level
- can be used with/without groups
- user/device attributes must be completed in AD
18
Q
RBAC
A
- role-based access control
- assign resource permissions to role
- assign role occupant(s)
- can target individual
19
Q
rights vs permissions
A
- rights are either allow/deny
- permissions allow degrees of access
- principle of least privilege
20
Q
Windows NTFS permissions
A
- local file/folder permissions
- file/folder encryption using encrypting file system (EFS)
- file system auditing
- file system journaling (quicker disk recovery/repair)
- data deduplication
- disk space quotas
- disable inheritance
- apply permissions to subordinates
- uses DACL
21
Q
levels of Windows NTFS permissions
A
- full control
- modify (enables file deletion)
- read and execute
- list folder contents (applies only to folders)
- read
- write (doesn’t enable file deletion)
- special permissions
22
Q
DACL
A
- discretionary access control list
- administrator sets file system permissions
23
Q
Windows shared folder permissions
A
- only folders can be shared over network (not individual files)
- share permissions
24
Q
Windows shared folder permission levels
A
- full control
- change
- read
25
applying NTFS with share permissions
most restrictive permissions apply
26
Linux file system permissions
- read (r), 4
- write (w), 2
- execute (x), 1
- delete/modify included in write permission
27
how Linux permissions are applied
- 3 sets of 3 permission levels applied to
- owner of file
- group associated with file/directory
- everyone else
28
chmod Linux command example
- chmod 760 /projects
- 7 applies to file/directory owner
- 4 + 2 + 1 = 7 so owner has full permissions
- 6 applies to associated group
- 4 + 2 = 6 so group has read/write permissions
- 0 applies to everybody else (no permissions)
- chmod -R switch recursively applies permissions to a directory
29
projectors
- doesn't store sensitive information
- physical security
- place on isolated/secure network
30
printers
- queued jobs could be retrieved by attackers
- change default passwords
- use HTTPS administrative access over HTTP
- print server provides centralized management/security control
31
USB
- easy to infect with malware
- ninja cables
- smartphones
- tablets
- storage media
- disable USB ports for storage media
- user awareness/education
32
NAC
- network access control
- port-based security
- edge devices should never perform authentication (forward authentication requests to RADIUS server)
33
RADIUS servers
- remote authentication dial-in user service
- edge devices (RADIUS clients) forward authentication requests from supplicants
- RADIUS server determines authentication/access
- install software/configure shared secret to turn server into RADIUS server
- use WPA enterprise/WPA2 enterprise for WiFi routers
- based on UDP
- primarily for centralized authentication
34
TACACS/TACACS+
- terminal access controller access-control system
- designed to handle frequent authorization requests within a session
- enhances security by encryption transmissions
- based on TCP
- normally used to administer network devices
35
VLANs
- creates new broadcast domain
- allows isolating networks/subdomains
- router/layer 3 switch required to communicate between VLANs
36
MAC flooding attacks
- VLAN attack
- fill MAC table limited memory on switches
- causes otherwise isolated traffic to be visible on other VLANs
- unicast traffic visible to all devices in that VLAN
37
VLAN hopping
- VLAN attack
- attacker spoofs identity of another switch
- creates trunking link
- all VLAN traffic can pass through link and become visible to attacker
38
mitigating VLAN attacks
- disable automatic trunk negotiation
- enable strong port security
- allow connections from specific/limited number of MAC addresses
- apply latest firmware updates
39
firewalls
- control inbound/outbound traffic
- block everything/create rules to allow necessary traffic
- hardware/software based
- hardware generally more stable/can handle more traffic
40
host-based firewall
- runs as software on a specific host
- Windows firewall
- Linux/UNIX iptables/uncomplicated firewall (ufw) command line tools
- layer 4 firewalls
- some Windows services i.e. AD require multiple ports (work with groups of firewall rules)
41
layer 4 firewalls examine
- source IP address
- destination IP address
- source port
- destination port
- protocol type
42
Windows firewall
configured via GUI/PowerShell
43
Linux firewall
configured via iptables command
44
network-based firewalls
- routers/specialized appliances
- at least 2 network interfaces
- configured with NACLs to control inbound/outbound traffic
- placed where traffic that must be examined will flow into/out of the network (perimeter firewalls)
45
reverse proxy servers
- type of network-based firewall
- listen for incoming traffic
- forwards to internal device i.e. web server
46
DPI
- deep packet inspection
- given with network-based firewalls
- tracks TCP sessions instead of treating each packet separately (stateful packet inspection)
- goes up to Layer 7 inspection
47
SECaaS
- security as a service
- firewalls in cloud offered by cloud providers
- Microsoft Azure uses network security groups (NSGs)
48
DDoS attacks
- distributed denial of service
- zombies/zombie nets
- overwhelm servers with communication requests
- packet flooding
- standard firewalls not designed to mitigate
49
black hole traffic
- mitigation of DDoS attacks
- discard traffic destined for victim machine
- still disrupts normal traffic
50
security zones
- isolation
- firewalls control traffic from internet into public-facing network
- second firewall further controls traffic into/out of internal secured network
- make sure internal data is not replicated to public-facing network
51
screened subnets
- DMZ
- external public-facing network
- VPN appliances
- SMTP mail servers
- web servers
- FTP servers
- normally use a reverse proxy
52
PKI
- public key infrastructure
- hierarchy of digital certificates issues to users/devices/services
- encrypt/digitally sign sensitive email messages
- encrypt files
- authenticate to VPN
- secure web site over HTTPS
53
CA
- certificate authority
- top of PKI hierarchy
- can have subordinate CAs (RAs)
- issue PKI certificates
- root (top-level) CA should be kept offline (compromise also compromises all certificates with hierarchy)
54
PKI certificates
- manually requested/issued
- automatically issued via group policy
- X.509 certificate
- can be a file/burned into magnetic strip/smartcard
55
PKI certificate contents
- serial number
- subject name (user email/FQDN of web site)
- unique mathematically related public/private key pair
- certificate use (email/file encryption/code signing)
- digital signature of CA/signature algorithm used
- date of issuance/expiration date
56
PKI certificate private key
- must be kept secret
- can be stored with certificate
- technically stored safely on device in a key store
57
SSL/TLS
- secure sockets layer
- transport layer security (newer/more secure)
- provide encryption/authentication over a network
- TLS version 1.3 = latest version
- don't use TLS/SSL 1.0/1.1
- require PKI certificate
58
configuring Windows/Linux TLS options
- modify registry in Windows to disable SSL 3.0/enable TLS
| - use OpenSSL in Linux to support TLS
59
IPSec
- internet protocol security
- built into IPv6
- works with IPv4
- VPNs
- doesn't require use of PKI certificates
- applies policy settings to computers
60
IPSec authentication keys
- Kerberos
- certificates
- preshared keys
61
best authentication method for AD domain
Kerberos
62
weakest authentication method for AD domain
preshared key (symmetric key)
63
IPSec tunnel mode
- normally used between 2 endpoint VPN devices
- encrypts the entire original IP packet (not just payload)
- adds a new IP header
- encapsulates packet
64
IPSec transport mode
- only encrypts packet payload
| - communication protected regardless of protocol being used
65
VPNs
- provides encrypted secured connection to private network over an unsecured network
- client-to-site
- site-to-site
- point-to-point tunneling protocol (PPTP)
- layer 2 tunneling protocol with IPSec (L2TP/IPSEC)
- SSL tunnel
66
client-to-site VPN
- require client VPN software configured to connect to a VPN appliance in screened subnet (or reachable by reverse proxy)
- user authenticates to VPN
- encrypted tunnel established
67
site-to-site VPN
- require VPN appliance at 2 different network sites
| - point-to-point encrypted tunnel is established
68
configuring VPN connections
- L2TP/IPSec appliance requires client software is configured correctly
- SSL VPNs use standard HTTPS ports
69
HIDS
- host intrusion detection system
- detects suspicious activity related to a specific host
- looks for abnormalities
- can read traffic encrypted over the network (host decrypts)
70
NIDS
- network intrusion detection system
- standalone appliance
- monitors network activity
- security information and event management (SIEM) software provides centralized repository for logs/audit events/security device alerts
- switches must be configured to copy all packets to port connected to NIDS
71
IPSs
- intrusion prevention systems
- extend functionality of IDSs
- take steps to prevent further damage when malicious activity is detected
- HIPS/NIPS
72
server/OS hardening
- reduces attack surface
- centralized in data centers
- OSs images can be hardened for creating new servers
- NIST SP 800-123
- HIDS/HIPS
- apply firmware updates to network appliances
- apply firmware updates to BIOS/UEFI RAID controllers
- set UEFI/BIOS boot password to prevent changing boot order
- enable CPU no-execute (NX bit) at BIOS level
- lock server chassis or rack case
- disable wake-on-LAN
- apply OS updates
- apply app software updates
- follow OS/app configuration best practices
- enable MFA
- keep AV solution updated
- configure host-based firewall (block unused ports)
- disable unused services/daemons
- disable unused accounts
- rename/disable default accounts
- enable auditing/logging related to IT workload
- follow principle of least privilege
- enable network encryption for as much traffic as possible
- encrypt data at rest
- plan for hardware failure
73
NX bit
- prevents certain memory pages from running executable code
| - stop buffer overflow attacks
74
logging considerations
- copies of log entries should be forwarded to a different host
- Windows Event Log Forwarding
- Linux syslog fowarding
75
auditing specifics
- audit user logins
- group membership changes
- user file system activity
76
switch hardening
- disable unused ports
- ports shouldn't allow numerous MAC addresses
- use SSH over Telnet
77
data in use
currently being processed
78
data in motion
transmitted over network
79
data at rest
stored on media
80
symmetric encryption
same key used to encrypt/decrypt
81
asymmetric encryption
- pair of keys used
- 1 encrypts
- 1 decrypts
- PKI uses related public/private key pairs
82
DLP
- data loss prevention
- tools available to prevent sensitive data/IP from leaving organization
- labeling data to be handled in accordance with DLP policies
83
mobile devices
- centralized management
- logical partitioning/containerization
- tools to prevent sensitive data from being stored on removable media
- geofencing (limit where devices can be used)
84
encrypting data at rest
- several laws require encrypting data at rest
- HIPAA
- Banking
- legal access/subpoena
85
Windows bitlocker
- Windows OS enterprise editions
- encrypts entire disk volumes/removable drives
- use group policy to require bitlocker on certain drives
- trusted platform module (TPM) can store keys/detect unauthorized system startup modifications
86
Windows EFS
- encrypting file system
- ties encrypted files/folders to specific users
- GUI control
- cipher.exe command line tool
- PKI certificate is automatically generated the 1st time user encrypts a file
- uses bulk encryption key/file encryption key (FEK) to encrypt blocks of data (stored within file)
- public key from PKI certificate encrypts the FEK
- private key from PKI reveals FEK which then decrypts blocks of data
- user PKI certificate must be backed up to secure location
- EFS data recovery agents can be configured to grant administrators ability to decrypt EFS encrypted files
- domain admin in AD environment can decrypt any files on any station joined to the domain
87
OpenSSL
- included in some Linux distros
| - used for file encryption
88
tape encryption
- tapes still commonly used for backups
| - should be encrypted
89
SAN-based tape backup security considerations
- which user account performs backups (root or admin)
- scripts are normally used before/after backup (are malicious scripts present)
- when encryption occurs (during/after backup)
- human element (reliable admins)
- reliability (offsite tape storage trustworthy)
90
disk scrubbing
- making it as difficult as possible to retrieve data previously stored on a disk
- writing useless random data to disk in multiple passes
- zeroing out a disk writes a 0 byte to all storage locations on the disk
91
physical destruction
- sort so that sensitive data disks are destroyed
- drill holes into platters of HDDs
- degaussing HDDs with high-intensity magnetic field
- shredding with industrial shredder
92
remote wipe
- mobile device management (MDM) enable centralized management
- remotely wipe lost/stolen devices
- wipe can reset device to factory settings (full wipe)
- wipe only corporate apps/data (selective wipe)
93
VPN authentication tool that uses a changing numeric code synchronized with VPN appliance
- key fobs
| - hardware/software tokens
94
IEEE standard that defines port level security
802.1X
95
RADIUS clients are referred to as
supplicants
96
firewall can filter based on UDP/TCP port numbers
layer 4
97
firewall can filter based on contents of packet payload
layer 7
