1. Replay Attack
    3rd party attempts to impersonate a client after intercepting captured data from a session
  2. KDC
    • Key distribution center
    • Used with Kerberos
  3. Kerberos
    • Network authentication protocol within active directory/UNIX realm
    • Uses a database of objects (i.e. active directory)
    • UsesĀ  KDC/TGT server to issue timestamped tickets that expire after a certain amount of time
  4. TGT
    • Ticket-granting ticket
    • Used in Kerberos
  5. Symmetric Key Cryptography
    Uses a single key for both encryption and decryption
  6. Asymmetric Key Cryptography
    • Uses a separate key to encrypt and decrypt data
    • Requires a PKI to issue tickets
  7. LDAP
    • Based on an earlier version of x.500
    • Active Directory/UNIX realms use LDAP to identify objects in query strings
  8. CN (LDAP)
    Common Name
  9. DC (LDAP)
    Domain Component
  10. Secure LDAP
    LDAP with SSL or TLS
  11. SSO
    • Single Sign-On
    • Users only remember one set of credentials
    • Can provide authentication against a federated database
  12. Same Sign-on vs Single Sign-on
    • In same sign on, users have to re-enter credentials each time they access another system
    • Single sign on uses the same credentials entered for multiple systems within a session
  13. SAML
    • Security Assertion Markup Language
    • An XML-based standard for exchanging authentication and authorization information between parties
    • Provides SSO for web-based applications
  14. PAP
    • Password Authentication Protocol
    • RAS protocol that sends passwords in cleartext
  15. CHAP
    • Challenge Handshake Authentication Protocol
    • A type of RAS protocol
    • Server challenges client, client provides authentication info
  16. RADIUS
    • Remote Authentication Dial-In Service
    • Provides centralized authentication for RAS servers
    • Only the password is encrypted
    • uses UDP
  17. TATACS+
    • CISCO alternative to RADIUS
    • Entire authentication process is encrypted
    • Uses TCP (guaranteed delivery)
    Upgrade to RADIUS that uses TCP and EAP
  19. AAA
    • Authentication, Authorization, Accounting
    • RADIUS and TACACS+ provide all 3
    • KERBEROS does not procide accounting
    • CISCO-proprietary
    • rarely used
  21. TACACS (Acronym)
    Terminal Access Controller Access Control System
  22. HOTP & TOTP
    • Open source standards used to create one-time use standards
    • HOTP makes a one-time password that does not expire
    • TOTP is makes a one-time password that expires after 30 mins
  23. Which authentication service uses tickets for credentials?
  24. What is the primary purpose of a ticket-granting server?
  25. Technical Controls
    • Use technology to mitigate vulnerability
    • example: IDS, Firewall, Encryption
  26. Management Controls
    • Use planning & risk assessment methods to mitigate risk
    • examples: Risk Assessment, vulnerability assessment, penetration test
  27. Operation Controls
    • Ensure day-to-day operations comply with an overall security plan; Implemented by people and not machines
    • Examples: Awareness & Training, Configuration management, Contingency Planning
  28. Hardening
    • The practice of making a system or application more secure than its default configuration
    • examples: disabling unneeded services and accounts
  29. Examples of Preventative Controls
    • Hardening
    • Security Awareness
    • Change Management
    • Account deactivation policy
  30. Examples of detective controls
    • Log monitoring
    • Trend Analysis
    • Security Audit
    • Video Surveillance
  31. Compensating Controls
    • Alternative controls in place of a primary control
    • Usually temporary
  32. Rule-based access control
    Based on a set of instructions, such as an access control list
  33. DACL
    • Discretionary access control list
    • property of an object that identifies who is allowed to access it
  34. ACE
    • access control entry
    • found in the DACL
  35. DAC model
    • Discretionary access control
    • Every object has an owner, who determines who can do what with that object
  36. MAC
    • Mandatory access control
    • Uses security labels (i.e. "secret") to determine who is allowed to access
  37. TCP Handshake Concept
    • Client sends a SYN
    • Server sends a SYN ACK
    • Client sends ACK
    • (3 way handshake)
  38. ICMP
    • Internet Control Message Protocl
    • Included in connection tools (like ping)
    • Often blocked because it is used for DoS attacks
  39. ARP
    • Address Resolution Protocol
    • Resolves IPv4 addresses to MAC addresses
  40. NDP
    • Neighbor Discovery Protocol
    • Functions similarly to ARP, but on IPv6
  41. SSH
    • Secure Shell
    • Encrypyts SFTP and SCP
    • Uses TCP port 22
  42. SSL
    • Secures HTTP, SMTP, LDAP traffic using certificates
    • Uses port 443 for HTTP traffic
    • Uses port 465 for SMTP traffic
    • Uses port 636 for LDAP traffic
  43. TLS
    • Tranport Layer Security
    • Successor to SSL
    • Uses the same ports as SSL
  44. IPSec
    • IP Security
    • Inherent in IPv6
    • Uses tunnel mode for VPN's
  45. FTP
    • Transfers data in cleartext!!
    • Active mode uses ports 21, 20
    • Passive mode uses ports 21 and a random port
  46. SFTP
    Uses SSH to encrypt traffic using TCP port 22
  47. FTPS
    • Uses SSL or TLS to encrypt traffic
    • Can use TCP ports 989 and 990
  48. TFTP
    • Trivial File Transfer Protocol
    • Used for small amounts of data, uses UDP
    • Commonly disabled
    • UDP port 69
  49. Telnet port
  50. SNMP Ports
    • UDP port 161
    • Sends traps (error messages) on UDP port 162
  51. NetBIOS ports
    • TCP 137, 139 (more common)
    • UDP 137, 138
  52. LDAP ports
    • TCP 389
    • TCP 636 (encrypted)
  53. Kerberos port
    UDP 88
  54. SQL server port
  55. RDP ports
    • TCP 3389
    • UDP 3389
  56. SMTP ports
    • TCP 25
    • TCP 465 (SSL/TLS encrypted)
  57. POP3 ports
    • TCP 110
    • TCP 995 (TLS/SSL encrypted)
  58. IMAP ports
    • TCP 143
    • TCP 993 (SSL/TLS secured)
  59. DNS Zone Record: A
    • Includes hostname and IPv4 address
    • Most commonly used
  60. DNS Zone Record: AAAA
    Includes hostname and IPv6 address
  61. DNS Query Port
    UDP 53
  62. DNS Zone Record: PTR
    • aka "pointer record" or "reverse lookup"
    • client queries DNS server for hostname, from IPv4 address
    • Does not always work, is an optional record
  63. DNS Zone Record: MX
    • Identifies mail server used for e-mail
    • linked to A or AAAA records
  64. DNS Zone Record: CNAME
    • Canonical name or "alias"
    • points multiple domain name to same IP address
  65. Secure Zone Transfers
    • DNS Servers sharing info with eachother
    • Some transfers might include all records in a zone
    • Zone Transfers happen using TCP 53
  66. HTPS Port
    TCP 443
  67. L2TP Port
    UDP 1701
  68. RDP Port
    TCP/UDP 3389
  69. IPSec Port
    UDP 500
  70. SMTP Ports (SSL/TLS)
    TCP 465
  71. Loop Protection on a switch
    STP or RSTP
  72. provides port-based authentication, ensuring that only authorized clients can connect to a network
    802.1x server
  73. Disabling unused ports and limiting MAC addresses that can use a port
    Port Security
  74. PPTP Protocol ID
  75. Implicit Deny
    Any traffic not explicitly allowed is denied
  76. ___ identifies what traffic is allowed and what is blocked
  77. Last rule in an ACL is typically
    • implicit deny
    • used by routers and firewalls
  78. Routers & packet-filtering firewalls perform basic filtering using
    an ACL
  79. Format for firewall rules
    • PPSDP
    • permission, protocol, source, destination, port
  80. Implicity deny on an ACL
    • deny any any
    • deny any
    • drop all
  81. WAF's focus on defending against
    • cross-site scripting attacks
    • buffer overflow attacks
  82. OSI Layer 1
    • Physical
    • Cables & Hubs
    • Protocls related to ethernet and cabling
  83. OSI Layer 2
    • Data Link
    • Switches
  84. OSI Layer 3
    • Network (logical addressing)
    • Router, Layer 3 Switches
    • IPv4, IPv6, IPSec, ICMP
  85. OSI Layer 4
    • Transport
    • aka flow control
    • TCP & UDP
  86. OSI Layer 5
  87. OSI Layer 6
    • Presentation
    • Formats data (i.e. ASCII)
  88. OSI Layer 7
    • Application
    • Proxies, WAF's, UTM's, web security gatways
    • FTP, DNS, HTTP, Telnet, RDP etc.
  89. OSI Acronym
    • All People
    • Seem To Need
    • Data Processing
  90. IDS and IPS include
    packet sniffing capability
  91. SYN Flood
    • Basically DoS
    • Sends repeated SYN messages but never ACK's them
    • creates sessions repeatedly
  92. Active IDS
    Will log an event, but can also divert traffic, change ACL rules, and end processes
  93. a bunch of virtualized servers made as decoys
  94. IPS are placed
    in-line with traffic
  95. 802.11a bandwidth and freqs
    • 54Mbps
    • 5 GHz
  96. 802.11n bandwidth and freqs
    • 600 Mbps
    • 5GHz or 2.5 GHz
  97. War driving
    • looking for wireless networks
    • aka driving through neighborhoods
  98. TKIP
    • Temporal Key Integrity Protocl
    • used with WPA
    • Replaced with CCMP in WPA2
  99. How to implement 802.1x
    Use a RADIUS server
  100. enterprise mode vs personal mode on WPA/2
    • enterprise requires a radius server
    • enterprise requires a database with username/pass combo
  101. Default radius port
  102. EAP
    • Extensible Authorization Protocol
    • two systems create a pairwise master key (PMK)
    • used by 802.1x servers, requires a cert on the server
  103. PEAP vs EAP
    • PEAP uses TLS-encrypted tunnel for PMK conversation
    • PEAP-TTLS lets you TLS-tunnel older PAP systems
  104. EAP-TLS
    requires a certificate on server and on all clients
  105. LEAP
    • CISCO proprietary EAP
    • does not required certificates
  106. Isolation mode
    used in wireless hotspots to prevent clients from connecting to eachother
  107. WEP inherent vulnerability
    uses a weak 24-bit IV sent in plaintext to create a key
  108. WPA cracking attack
    • Attacker captures traffic with a sniffer, waits for an authorized client to connect
    • Then attacker brute forces access point using intercepted info from 4-way handshake
  109. Bluesnarfing
    stealing info via bluetooth
  110. IPSec provides
    • Authentication & Identification (AH Header)
    • Encryption, Confidentiality, Identity, & Auth (ESP)
  111. AH Protocol Number
  112. ESP Protocol Number
  113. uses tunnel mode, & IKE over port 500
  114. L2TP
    • Layer 2 Tunneling Protocol
    • UDP Port 1701
    • Is not encrypted
  115. PPTP Port
    TCP 1723
  116. L2TP commonly combined with
  117. Software that creates, runs, and manages VMs
  118. VM Escape
    When attackers gain control of a host through a VM machine
  119. SCADA systems
    supervisory data control and acquisition systems
  120. Primary methods of securing data
    • encryption
    • strong access controls
  121. How to protect data at rest
  122. How to protect data in transit
    • DLP
    • Encryption
  123. TPM
    • Trusted Platform Module
    • Chip baked into computer
    • Provides full disk encryption, includes unique RSA asymmetric key
  124. HSM
    • Hardware security module
    • removable device that can store/manage RSA keys for asymmetric encryption
  125. Provides customers with a fully managed platform, which the vendor keeps up to date with current patches
    Platform as a Service
  126. Provides customers with access to hardware in a self-managed service
    Infrastructure as a Service
  127. Uses one or more techniques to make it difficult to reverse engineer
    Armored virus
  128. Armored virus techniques
    • complex code
    • encryption
    • hiding virus location
  129. detects previously-unknown malware based on behavior
    Heuristic-based antivirus
  130. Smurf attack
    • Attacker spoofs IP of victim and sends broadcast pings
    • victim is flooded with replies
  131. Defense against smurf attacks
    • Disable directed broadcasts
    • Especially important for front-facing border routers
  132. Xmas tree attack
    used to gain information about a network for other attacks
  133. replay attack
    capturing data in a session in hopes of later impersonating one of the parties in that session
  134. defense against replay attack
    • timestamps
    • sequence numbers (i.e. kerberos)
  135. Pharming
    redirects website traffic to another website, by way of modifying client host file
  136. RAT
    remote access tool
  137. XSRF
    • Cross-site forgery
    • can allow attackers to steal information and perform actions
  138. LDAP injection
    attempts to access or modify data hosted on directory service servers
  139. attack attempting to access a back-end server through another server
    transitive access attack
  140. SLE
    • single loss expectancy
    • the cost of any single loss
  141. ARO
    annual rate of occurrence
  142. ALE
    • annual loss expectancy
    • single loss expectancy (SLE) * ARO (rate of occurrence)
  143. ALE equation
    ALE = SLE * ARO
  144. MTBF
    • Mean time between failures
    • usually in hours
    • higher MBTF is better
  145. MTTF
    • mean time to failure
    • average amount of time until equipment breaks
  146. MTTR
    mean time to recover
  147. helps determine what protocols and services are running on a remote system
    port scanner
  148. determines the security posture of a system by identifying vulnerabilities and weaknesses
    vulnerability assessment
  149. black box tester
    has no prior knowledge of system prior to pen testing
  150. white box tester
    has full knowledge of system prior to testing
  151. helps an organization ensure they are following their own policies (least privilege, etc.)
    routine audits
  152. ensures users only have access they need and no more
    user rights and permissions review
  153. RAID-0
    • striping
    • no fault tolerance
    • two or more disks with files striped across them
  154. RAID-1
    • mirroring
    • you can also add an additional disk as a disk controller
  155. RAID-5
    • requires three or more drives
    • one drive can fail with continued operation
  156. RAID-6
    • requires four disks
    • two drives can fail with continued operation
  157. RAID-10
    combines mirroring and striping
  158. BIA
    • business impact analysis
    • helps an organization identify critical systems and components that are essential to the organization's success
    • also identifies maximum downtime limits
  159. RTO
    • recovery time objective
    • maximum time it should take to recover after an outage
  160. RPO
    • recovery point objective
    • a point in time where data loss is acceptable
  161. hot site
    a place where you can immediately restore operations, including everything that is required
  162. includes a hierarchy of critical systems and the order to restore them in
    disaster recovery plan
  163. final phase of disaster recovery
    lessons learned
  164. stream cipher
    • encrypts one bit at a time
    • opposite is the block cipher
  165. 2 most popular hash algorithms
    • MD5
    • SHA
  166. verifies both integrity and authenticity of a message by use of a shared secret
  167. creates a 128-bit hash
    • MD5
    • HMAC-MD5
  168. creates 160 bit hashes
    • SHA-1
    • HMAC-SHA-1
  169. creates 224-512 bit hashes
  170. AES info
    • 128, 192, or 256-bit block cipher
    • symmetric
  171. 3DES and DES
    • Data Encryption Standard
    • both are symmetric 64-bit block cipher
  172. RC Ciphers (like RC4)
    • symmetric, stream
    • 40 - 2048 bit
  173. Blowfish
    • symmetric, 64-bit block cipher
    • 32 - 488 bit key
  174. Twofish
    • symmetric, 128-bit block cipher
    • 128 - 256-bit key
  175. Diffie-Hellman (ECDHE)
    secure method of sharing symmetric keys over a public network
  176. elliptical curve cryptography
    commonly used with small devices
  177. sender's private key (digital signature)
  178. sender's public key (digital signature)
  179. recipient public vs private key
    • recip. public key encrypts
    • recip. private key decrypts
  180. web site encryption
    • web site public key encrypts
    • web site private key decrypts
  181. web site session encryption
    symmetric key encrypts
  182. Bcrypt and PBKDF2
    • key stretching techniques
    • help prevent brute force attacks and rainbow table attacks
    • salt the password with additional bits
Card Set
Man vs Exam: The Reckoning