Section 16: Logical Security

Logical security

Measures that protect digital access to systems and data, such as passwords, ACLs, and encryption.

Access Control List (ACL)

A set of rules that allow or deny network traffic based on IP, MAC, or port numbers.

Principle of least privilege

Users should be given only the minimum level of access needed to perform their tasks.

Components of IAM

Identification, Authentication, Authorization.

802.1X

Port-based network access control that uses RADIUS or EAP for authentication.

DAC (Discretionary Access Control)

Allows owners to set permissions for their resources.

MAC (Mandatory Access Control)

Enforces security labels system-wide and restricts access based on these labels.

Multifactor Authentication (MFA)

Authentication using three factors: Something You Know, Something You Have, Something You Are.

TOTP

Time-Based One-Time Password, a temporary code that changes every 30-60 seconds.

Push notification MFA

A method where a user receives a push alert to approve or deny access instead of entering a code.

SAML

Security Assertion Markup Language, enables single sign-on (SSO) across multiple services.

OAuth

Allows secure third-party access to resources without sharing passwords.

CIA Triad

Confidentiality, Integrity, Availability – the three core principles of cybersecurity.

Defense in depth

A layered security approach using multiple security controls to protect a system.

Symmetric encryption

Uses one key for both encryption and decryption.

Asymmetric encryption

Uses two keys: a public key to encrypt and a private key to decrypt.

IPSec Transport Mode

Encrypts only the payload of the packet for host-to-host communication.

IPSec Tunnel Mode

Encrypts the entire IP packet, commonly used in VPNs.

ESP (Encapsulating Security Payload)

Provides encryption, integrity, and authentication in IPSec.

IKE (Internet Key Exchange)

A protocol that automates the setup of secure IPSec connections.

Public Key Infrastructure (PKI)

system that manages encryption keys and digital certificates to provide secure communication, authentication, and data integrity over networks. It enables trust between users, devices, and systems.

Certificate Authority (CA)

A trusted entity that issues and verifies digital certificates.

Certificate Revocation List (CRL)

A list of revoked digital certificates that are no longer trusted.

Digital certificate

Verifies the identity of websites, individuals, or organizations using public-key cryptography.

SSL/TLS certificate

A digital certificate that secures websites using HTTPS encryption.

Key management

The process of generating, storing, distributing, and revoking encryption keys securely.

Key escrow

A security measure where a trusted third party holds encryption keys for recovery.

Perfect Forward Secrecy (PFS)

Ensures compromising one encryption key does not affect past or future sessions.

VLAN hopping

A network attack gaining access to unauthorized VLANs by exploiting misconfigurations.

MAC flooding attack

An attack overwhelming a switch’s MAC address table, forcing it to send traffic to all ports.

ARP spoofing attack

An attack sending fake ARP replies to redirect traffic to an attacker’s machine.

DNS poisoning attack

Corrupts DNS cache, redirecting users to malicious sites.

On-path attack

An attack where communication between two parties is intercepted and altered.

Rogue access point

An unauthorized Wi-Fi access point used for attacks like eavesdropping.

Honeypot

A security tool designed to lure attackers and study their behavior.

DoS attack

Denial of Service attack that overwhelms a system, making it unavailable.

DDoS attack

Distributed Denial of Service attack using multiple devices to overload a system.

Social engineering

Attackers manipulate people into giving up confidential information.

Phishing

A fraudulent attempt to trick users into providing sensitive information.

Malware

Malicious software designed to damage, steal data, or disrupt systems.

Risk management

The process of identifying, assessing, and mitigating security risks.

Security risk assessment

Evaluating security risks and determining how to address them.

PCI DSS

Payment Card Industry Data Security Standard for companies handling credit card transactions.

GDPR

General Data Protection Regulation, a European law to protect personal data.

SAML

(Security Assertion Markup Language) – An open standard for single sign-on (SSO) that allows identity providers (IdPs) to authenticate users and share login credentials with service providers (SPs) securely.

SOAP

Simple Object Access Protocol

RADIUS

(Remote Authentication Dial-In User Service)

provides centralized administration of dial-up, VPN, and wireless authentication, so it can be used with both 802.1x and the Extensible Authentication Protocol (EAP)

TACACS+

(Terminal Access Controller Access-Control System Plus) – A Cisco-developed AAA (Authentication, Authorization, and Accounting) protocol that encrypts the entire packet and operates over TCP (port 49) for secure network device administration.

RBAC

• Role-Based Access Control

• An access model that is controlled by the system but focuses on a set of permissions versus an individual’s permissions

IPSec

• IP Security

• Provides authentication and encryption of data packets to create a secure and encrypted communication path between two computers

Main Mode

Conducts three two-way exchanges between the peers, from the initiator to the receiver

Aggressive Mode

Uses fewer exchanges, resulting in fewer packets and faster initial connection than main mode

Authentication Header

security protocol in IPsec that provides data integrity, authentication, and anti-replay protection for IP packets but does not encrypt the data.

Encapsulating Security Payload

security protocol in IPsec that provides encryption, authentication, and data integrity to protect IP packets. Unlike Authentication Header (AH), ESP encrypts the data, making it unreadable to unauthorized parties.

Key Recovery Agent

Specialized type of software that allows the restoration of a lost or corrupted key to be performed