More on this book
Community
Kindle Notes & Highlights
A false positive is an alert or alarm on an event that is nonthreatening, benign, or harmless. A false negative is when an attacker is actively attacking the network, but the system does not detect it.
Remember this A false positive incorrectly indicates an attack is occurring when an attack is not active. A high incidence of false positives
increases the administrator’s workload. A false negative is when an attack is occurring, but the system doesn’t detect and report it. Administrators often set the IDS threshold high enough that it minimizes false positives but low enough that it does not allow false negatives.
Intrusion prevention systems (IPSs) are an extension of IDSs.
An IPS is inline with the traffic.
an IDS is out-of-band.
Remember this An IPS can detect, react, and prevent attacks. It is placed inline with the traffic (also known as in-band). An IDS monitors
and responds to an attack. It is not inline but instead collects data passively (also known as out-of-band). As a reminder from the introduction of this section, both IDSs and IPSs have protocol analyzer capabilities. This allows them to monitor data streams looking for malicious behavior. An IPS can inspect packets within these data streams and block malicious packets before they enter the network. In contrast, a NIDS has sensors or data collectors that monitor and report the traffic. An active NIDS can take steps to block an attack, but only after the attack has started. The inline
...more
supervisory control and data acquisition (SCADA)
advanced persistent threats (APTs)
remote access Trojans (RATs)
Remember this An intrusion prevention system (IPS) is a preventive control. It is placed inline with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. It can also be used internally to protect private networks.
Transport Layer Security (TLS) traffic.
Secure Sockets Layer (SSL),
Hypertext Transfer Protocol Secure (HTTPS).
software defined network (SDN) uses virtualization technologies to route traffic instead of using hardware routers and switches.
A honeypot is a sweet-looking server—at
honeynet is a group of honeypots within a separate network or zone, but accessible from an organization’s primary network.
Remember this Honeypots and honeynets attempt to divert attackers from live networks. They give security personnel an opportunity to observe current methodologies used in attacks and gather intelligence on these attacks.
virtual local area network (VLAN).
virtual private network (VPN)
Remember this An 802.1x server provides port-based authentication, ensuring that only authorized clients can connect to a network. It prevents rogue devices from connecting.
A wireless access point (AP) connects wireless clients to a wired network.
Remember this A fat AP is also known as a stand-alone AP and is managed independently. A thin AP is also known as a controller-based AP and is managed by a wireless controller. The wireless controller configures the thin AP.
service set identifier (SSID),
Remember this The service set identifier (SSID) identifies the name of the wireless network. You should change the SSID from the default
name. Disabling SSID broadcast can hide the network from casual users, but an attacker can easily discover it with a wireless sniffer.
media access control (MAC)
the MAC address (also called a physical address or hardware address)
Remember this MAC filtering can restrict access to a wireless network to specific clients. However, an attacker can use a sniffer to discover allowed MAC addresses and circumvent this form of network access control. It’s relatively simple for an attacker to spoof a MAC address.
Remember this You can limit the range of an AP to a room or building by reducing the AP’s power level. This prevents people from connecting because they will be out of the AP’s range.
Wi-Fi Protected Access II (WPA2).
Wired Equivalent Privacy (WEP).
Cipher Block Chaining Message Authentication Code Protocol (CCMP).
Temporal Key Integrity Protocol (TKIP)
Remember this WPA provided an immediate replacement for WEP and originally used TKIP, which was compatible with older hardware. Later implementations support the stronger AES encryption algorithm. WPA2 is the permanent replacement for WEP and WPA. WPA2 supports CCMP (based on AES), which is
much stronger than the older TKIP protocol and CCMP should be used instead of TKIP.
pre-shared key (PSK)
Remember this PSK mode (or WPA-PSK and WPA2-PSK) uses a pre-shared key and does not provide individual authentication. Open mode doesn’t use any security and allows all users to access the AP. Enterprise mode is more secure than Personal mode, and it provides strong authentication. Enterprise mode uses an 802.1x server (implemented as a RADIUS server) to add authentication.
Remember this Enterprise mode requires an 802.1x server. EAP-FAST supports certificates. PEAP and EAP-TTLS require a certificate on the 802.1x server. EAP-TLS also uses TLS, but it requires certificates on both the 802.1x server and each of the clients.
captive portal is a technical solution that forces clients using web browsers to complete a specific process before it allows them access to the network.
disassociation attack effectively removes a wireless client from a wireless network.
Remember this A disassociation attack effectively removes a wireless client from a wireless network, forcing it to reauthenticate. WPS allows users to easily configure a wireless device by entering an eight-digit PIN. A WPS attack guesses all possible PINs until it finds the correct one. It will typically discover the PIN within hours and use it to discover the passphrase.
Wi-Fi Protected Setup (WPS)
A rogue access point (rogue AP) is an AP placed within a network without official authorization.
evil twin is a rogue access point with the same SSID as a legitimate access point.
Remember this Rogue access points are often used to capture and exfiltrate data. An evil twin is a rogue access point using the same SSID as a legitimate access point. A secure AP blocks unauthorized users, but a rogue access point provides access to unauthorized users.
A wireless initialization vector (IV)
Near field communication (NFC) is a group of standards used on mobile devices that allow them to communicate with other mobile devices when they are close to them.
personal area networks (PANs) and within networks.
