Network+ N10-009 4.0 Network Security

Logical security(Encryption)

Method of protecting information using coded formats
Data in transit - Data moving across network
Data at rest - Stored, inactive data

Logical security(Certificates)

Digital documents used for identity validation
Public key infrastructure (PKI) - Hierarchy of trust keys
Self-signed - Generated without authority

Logical security(Identity and access management (IAM))

Framework for managing user identities and permissions
Authentication - Verifies user identity
Multifactor authentication (MFA) - Uses multiple verification factors
Single sign-on (SSO) - One login for many apps
Remote Authentication Dial-in User Service (RADIUS) - Centralized authentication protocol
LDAP - Directory-based authentication service
Security Assertion Markup Language (SAML) - Standard for identity exchange
Terminal Access Controller Access Control System Plus (TACACS+) - Cisco authentication protocol
Time-based authentication - Temporary time-sensitive codes
Authorization - Determines user permissions
Least privilege - Minimum access required
Role-based access control - Permissions tied to roles

Logical security(Geofencing)

Security that restricts access by physical location

Physical security(Camera)

Video surveillance to monitor activity

Physical security(Locks)

Physical barriers preventing unauthorized access

Deception technologies(Honeypot)

Decoy system designed to lure attackers

Deception technologies(Honeynet)

Network of decoys to observe attacker behavior

Common security terminology(Risk)

Potential for harm from a threat

Common security terminology(Vulnerability)

Weakness that can be exploited

Common security terminology(Exploit)

Method of taking advantage of a vulnerability

Common security terminology(Threat)

Potential cause of harm to assets

Common security terminology(Confidentiality, Integrity, and Availability (CIA) triad)

Model for securing data and systems

Audits and regulatory compliance(Data locality)

Requirement to keep data in specific regions

Audits and regulatory compliance(Payment Card Industry Data Security Standards (PCI DSS))

Standards for protecting payment card data

Audits and regulatory compliance(General Data Protection Regulation (GDPR))

European law for personal data protection

Network segmentation enforcement(Internet of Things (IoT) and Industrial Internet of Things (IIoT))

Separation of consumer and industrial connected devices

Network segmentation enforcement(Supervisory control and data acquisition (SCADA), industrial control System (ICS), operational technology (OT))

Segmentation of critical infrastructure systems

Network segmentation enforcement(Guest)

Isolated network for visitor devices

Network segmentation enforcement(Bring your own device (BYOD))

Policy allowing personal devices with network restrictions

Denial-of-service (DoS)/distributed denial-of-service (DDoS)

Attacks that overwhelm systems with traffic

VLAN hopping

Attack where traffic is injected into other VLANs

Media Access Control (MAC) flooding

Attack that overwhelms switch tables with fake MAC addresses

Address Resolution Protocol (ARP) poisoning

Technique to map attacker’s MAC to another IP

ARP spoofing

Forged ARP messages to redirect traffic

DNS poisoning

Corrupts DNS cache with false records

DNS spoofing

Fakes DNS responses to redirect users

Rogue devices and services(DHCP)

Unauthorized DHCP server handing out bad addresses

Rogue devices and services(AP)

Unauthorized access point imitating a trusted one

Evil twin

Malicious wireless access point that mimics a legitimate one

On-path attack

Attacker intercepts communication between two parties

Social engineering(Phishing)

Tricking users into revealing information via email or messages

Social engineering(Dumpster diving)

Retrieving sensitive information from discarded materials

Social engineering(Shoulder surfing)

Stealing information by looking over someone’s shoulder

Social engineering(Tailgating)

Following authorized users into secure areas

Malware

Malicious software designed to harm, disrupt, or steal

Device hardening(Disable unused ports and services)

Turning off unneeded features to reduce attack surface

Device hardening(Change default passwords)

Replacing vendor-provided passwords with secure ones

Network access control (NAC)(Port security)

Restricts access to switch ports

Network access control (NAC)(802.1X)

Port-based authentication standard

Network access control (NAC)(MAC filtering)

Controls devices by MAC address

Key management

Process of handling encryption keys securely

Security rules(Access control list (ACL))

Rules defining allowed or denied traffic

Security rules(Uniform Resource Locator (URL) filtering)

Blocking access to specific websites

Security rules(Content filtering)

Restricting access to certain content types

Zones(Trusted vs. untrusted)

Defined network security boundaries

Zones(Screened subnet)

Isolated network area for public-facing server