01 Network Attacks and Defense Strategies Flashcards
(88 cards)
1
Q
Threat Sources
List each threat source
A
- Natural: Floods, fires, power failure
- Unintentional: unskilled admin, accidents, lazy/untrained employee
- Intentional
2
Q
Define Threat Actor
A
Individual or group that breaks into the system to achieve a specific goal.
3
Q
List types of Threat Actors
A
- Hacktivist: Promotes political agenda
- Cyber Terrorist: motivated by religious or political beliefs.
- Suicide Hacker: aims to bring down infrastructure for a “cause”. Not deterred by jail time.
- State Sponsored Hacker: employed by gov to hack other gov.
- Script kiddies: unskilled hacker who use tools made by real hackers.
- Industrial Spies: Attack companies for commercial purpose.
- Insider Threat: Threat that originates from people within org.
4
Q
Vulnerability
A
Existing weaknesses in assets that can be exploited.
5
Q
Which TCP/IP Protocols are inherently insecure?
A
HTTP (Hyper Text Transfer Protocol) FTP (File Transfer Protocol) ICMP (Internet Control Message Protocol) SNMP (Simple Network Management Protocol) SMTP (Simple Mail Transfer Protocol)
6
Q
What is IIS?
A
Internet Information Services
7
Q
List the Network Security Vulnerabilities of a Configuration:
A
- User account Vuln: sending user/pass over unencrypted network.
- System Account Vuln: Setting weak passwords for user accounts.
- Internet Services Misconfig: Misconfig of services such as Apache, IIS, enabling JavaScript, FTP.
- Default Password Settings
- Network Device Misconfig: Improper setup of network devices such as routers.
8
Q
List the Network Security Vulnerabilities of a Security Policy:
A
- Unwritten Policy
- Lack of Continuity: in implementing & enforcing the policy
- Politics: challenges for implementation of a consistent security policy.
- Lack of awareness: of the security policy
9
Q
What is Risk?
A
The potential loss or damage that can occur when there is a threat to an asset in presence of an exploitable vulnerability.
10
Q
What formula represents Risk?
A
Risk = Asset + Threat + Vulnerability
11
Q
What is an ATTACK?
A
An action initiated for exploiting vulnerabilities to actualize a threat.
12
Q
What formula represents an ATTACK?
A
Attack = motive (goal) + Method (TTPs) + vulnerability
13
Q
Define TTP’s
A
Tactics, techniques, & Procedures.
14
Q
What is a MOTIVE?
A
Originates from the notion that the target system stores or processes something of value.
15
Q
What techniques can attackers use in the recon phase to obtain information?
A
- Social Engineering
- Port Scanning
- DNS footprinting
- Ping Sweeping
16
Q
What Network information is obtained from recon?
A
- Domain Names
- Internal Domain Names
- Network Blocks
- IP addresses of reachable systems
- Rogue/private websites
- open ports
- versions of OS
- Running TCP & UDP services
- Access Control Mechanisms & Access Control Locations (ACM/ACL)
- Network Protocols
- VPN Points
- Running Firewalls
- Analog/digital #’s
- Authentication mechanisms
- System Enumeration
17
Q
What is a network sniffing attack?
A
is a process of monitoring & capturing all data packets passing through a network.
18
Q
Man-in-the-Middle Attack
A
- Intruder deploys a station between client & server
- The TCP connection is split into 2 connections: 1. Client to attack connection 2. attacker to server connection.
- Enables intruder to read, modify & insert fraudulent data into the TCP connection.
19
Q
TCP
A
Transmission Control Protocol
20
Q
Password Attack
A
Attacker uses techniques such as: -brute force, -social engineering -Spoofing -Phishing -Malware -Sniffing -Keylogging to crack or obtain the password
21
Q
Privilege Escalation Attack
A
Attacker gains access to a network using a non admin account, and escalates privileges to become admin.
The attacker exploits design flaws, programming errors, bugs, and configuration oversight in the OS or app to gain admin access.
22
Q
2 Types of Privilege Escalation:
A
- Vertical privilege escalation: shifting from a user account to an account with higher privileges.
- Horizontal privilege escalation: Shifting from one user account to another with same privileges.
23
Q
DNS Poisoning Attack
A
- Manipulation of IP addresses in the DNS cache
- A corrupt DNS redirects user requests to a malicious website/resource.
24
Q
ARP
A
Address Resolution Protocol
25
ARP Poisoning Attack
ARP spoofing/poisoning involves sending a large # of forged entries to the target machines ARP cache.
26
DHCP
Dynamic Host Configuration Protocol
| -Assigns valid IP addresses to host systems out of pre-assigned DHCP pool
27
DHCP Starvation Attack
- Process of inundating DHCP servers with fake DHCP requests and using up all available IP addresses
- This results in a DoS attack where the DHCP server cannot issue new IP addresses to genuine host requests.
- New clients cannot obtain access to the network resulting in a DHCP starvation attack.
28
DHCP DORA
DISCOVER, OFFER, REQUEST, ACKNOWLEDGE
| -Stands for the message flows between the client and server.
29
How does a DHCP server assign IP addresses to clients?
Dynamically
30
DNS Spoofing Attack
- Attacker places a rogue DHCP server between the client and the real DHCP server.
- When a client sends a request, the rogue DHCP server intercepts the coms and acts as a DHCP server by replying with a fake IP address.
- This results in the client being diverted to the attackers system
31
MAC Spoofing Attack
- Launched by sniffing a network for MAC addresses of clients using a switch port, and re-using one of those addresses.
- By intercepting the network traffic, the attacker replicates a legitimate users MAC address to receive all the traffic intended for the specific user.
- Mac spoofing enables an attacker to gain access to the network by faking the identity of another user already on the network.
32
Network based DoS Attack:
Attacker floods the network with large amounts of traffic, exhausting the victims connection resources.
33
Types of DoS Attacks:
- TCP SYN Flooding
- UDP Flooding
- ICMP Smurf Flooding
- Intermittent flooding
34
UDP
User Datagram Protocol
35
DDoS Attack
- multitude of compromised systems attack a single target
| - Causes financial loss and damage to reputation
36
2 types of DDoS
1. Network Centric: Overloads a resource by consuming bandwidth
2. Application Centric: overloads a services by flooding it with packets
37
Types of Malware:
- Virus: Self replicating, attaches itself to another program, computer boot sector, or document.
- Trojan: appears to be legitimate/useful software but contains hidden harmful code.
- Adware: software program that tracks a users browsing patterns and displays ads
- Spyware: software code that extracts user info & sends it to attacker.
- Root Kit: a software program that conceals activities from detection by OS.
- Backdoor: enables attacker to bypass authentication and gaining admin access without password.
38
APT's
Advanced Persistent Threat
- Attacker gains access to a network and remains there undiscovered for a long period of time.
- Purpose: to obtain sensitive information vs causing damage.
39
SQL
Structured Query Language
40
SQL Injection
- Malicious SQL queries to directly manipulate a database.
- Executed through URL, application fields and search bars.
- Only possible when an application executes Dynamic SQL Statements & Stores procedures with arguments based on user input.
41
XXS Attack
Cross Site Scripting
- exploits vulns in dynamically generated web pages, enables attacker to inject scripts into web pages.
- Inject malicious javascript, VBscript, ActiveX, HTML or Flash
42
Parameter Tampering Attack
Manipulation of parameters exchanged between client and server in order to modify app data such as user creds, permissions, price & quantity of products.
43
Directory Traversal Attack
- attackers can manipulate variables that reference files with ../ sequences and its variations
- enables access to restricted directories.
44
CSRF Attack
Cross-site Request Forgery
| -Exploits web page vulnerabilities that enable an attacker to force a users browser to send malicious requests
45
Application-level DoS attack
Attacker exhausts server resources by sending hundred of resource intensive tasks, such as retrieving large image files.
46
Session HIJacking
- Attacker takes over a valid TCP communications session between two computers
- Can sniff all information in transit
- Attacker steals a valid session ID and uses it to auth himself with server
47
Types of Social Engineering Attacks:
- Impersonation
- Eavesdropping
- Shoulder Surfing
- Dumpster diving
- Piggy backing: authorized person holds door open for intruder
- Tail gating: following authorized person inside without their knowledge
48
Email Attack Types:
- Malicious email attachments
- User redirection (links)
- Email Phishing: link sent looks like the real website
- Email Spamming
49
Rooting Android
Grants root access
50
Jailbreaking IOS
Installing a modified set of kernel patches that enable a user to run third party apps
51
Mobile Devices Specific Attacks:
- Rooting
- jailbreaking
- uploading malicious app to the app store
- mobile spamming (texts/calls)
- SMS Phishing
- Bluebugging
52
2 types of Bluebugging attack
1. Bluesnarfing: stealing info via bluetooth
| 2. Bluebugging: gaining control over a device via bluetooth.
53
OWASP
Open Web Application Security Project
54
OWASP Top 10 Cloud Security Risks:
1. Accountability and Data Ownership: Using public cloud for hosting business services can cause severe risk for the recoverability of data
2. User Identity Federation: Creating multiple user identities for different cloud providers makes it complex to manage multiple user Ids and credentials
3. Regulatory Compliance: lack of transparency and different regulatory laws in different countries
4. Business continuity and resiliency: risk or monetary loss if the cloud provider handles business continuity improperly
5. User privacy and secondary usage of data: the default share feature in social websites can jeopardize the privacy of a users personal data
6. Service and data integration: unsecured data in transit is susceptible to eavesdropping and interception attacks
7. Multi Tenancy and Physical security: inadequate logical segregation may lead to tenants interfering with the security features of each other
8. Incidence analysis and forensic support: due to distributed storage of logs across the cloud, law enforcement agencies may face challenges in forensics recovery
9. Infrastructure security: misconfiguration of infrastructure may allow network scanning for vulnerable applications and services
10. Non-Production environment exposure: using non production environments increases the risk of unauthorized access, information disclosure, and information modification.
55
War Driving
attackers drive with wifi enabled laptops to detect open wireless networks.
56
Client Mis Association
an attacker sets up a rogue access point outside the corporate perimeter and tricks employees to connect to it
57
Unauthorized Association:
Attackers infect a victim machine and active APs (access point) to provide them with an unauthorized connection to the enterprise network
58
Honey Pot access point attack:
An attacker traps people by using fake APs(access point)
Rogue Access Point Attack: Rogue wireless access points placed in a 802.11 network can be used to hijack connections of legitimate network users.
59
Misconfigured Access point Attack:
Enables intruders to steal the SSID(service set identifier) giving them access to the network
60
Ad Hoc Connection attack
wifi clients communicate directly via an ad hoc mode that does not require an AP to relay packets.
61
AP MAC Spoofing
a hacker spoofs the mac address of a WLAN client's equipment to act as an authorized client and connect to the AP as the client and eavesdrop on the traffic
62
DoS Attack:
disrupts network connections by sending broadcast “de-authenticate” commands
63
WPA-PSK Cracking
attackers sniff and capture auth packets and run a brute force attack to crack the WPA-PSK key
64
Raidus Replay:
Attackers replay the valid radius server response and successfully auth to the client without valid credentials
65
MAC Spoofing attack:
spoofs the mac of a client and attempts to authenticate to the AP, which leads to the updating of the mac address info in the network routers and switches
66
WEP cracking:
sniff and capture packets and run wep cracking programs to obtain web key
67
Man-in-the-Middle
attackers deploy a rogue AP and spoof the clients MAC address to position themselves between the real AP and the client to listen to the traffic
68
Fragmentation Attack:
attackers obtain 1500 bytes of pseudo rando generation algorithm (PRGA) to generate forged wep packets that are in turn used for various injection attacks
69
Jamming Signal Attack:
an attacker stakes out the are from a nearby location with a high gain amplifier, drowning out the legitimate access point.
70
CEH Hacking Methodology: Successful black hat operations typically follow five phases:
1. Recon
2. Scanning
3. Gaining Access
4. Maintaining access
5. Clearing Tracks
71
Lockheed Martin Cyber Kill Chain Methodology:
1. Recon: gather data on the target to probe for weak points
2. Weaponization: create a deliverable malicious payload using an exploit and a backdoor
3. Delivery: send a weaponized bundle to ethe victim using email, USB, etc.
4. Exploitation: exploit a vulnerability by executing code on the victim's machine
5. Installation: install a malware on the target system
6. Command and Control: create a command-and-control channel to communicate and pass data back and forth.
7. Actions on Objectives: Perform actions to achieve intended objectives/goals
72
MITRE Attack Framework:
Pre-Attack:
- Recon
- Weaponize
Enterprise Attack:
- Deliver
- Exploit
- Control
- Execute
- Maintain
73
Goal of Network Defense:
is to prevent unauthed access, misuse, modification, service denial, or any degradation and disruptions.
74
IA:
Information Assurance
75
IA Principles:
- Confidentiality: Ensures information is not disclosed to unauthorized parties
- Integrity: Ensures information is not modified or tampered with by unauthorized parties
- Availability: ensures information is available to authorized parties without any disruptions.
- Non-repudiation: Ensures that a party in a communication cannot deny sending the message
- Authentication: ensures the identity of an individual is verified by the system or service
76
Network Defense Benefits:
- Protect: information assets
- Comply: with government and industry specific regulation
Ensure: secure communication with clients and suppliers
Reduce: the risk of being attacked
Gain: competitive edge over competitor by providing more secure services
77
Network Defense Challenges:
- Distributed computing environments: with the advancement in modern technology and to meet business requirements, networks are becoming vast and complex, potentially leading to serious security vulnerabilities. Attackers exploit exposed security vulnerabilities to compromise network security
- Emerging Threats: Potential threats to the network evolve each day. Network security attacks are becoming technically more sophisticated and better organized.
- Lack of network Security Skills: Organizations are failing to defend themselves against rapidly increasing network attacks due to the lack of network security skills.
78
Computer Network Defense Involves:
applying a set of rules, processes, and measures to protect the integrity, confidentiality and availability of the networks information systems and resources.
79
4 types of Network Security Approaches:
- Preventive Approaches: consist of methods or techniques that are used to avoid threats or attacks on the target network
- Reactive approaches: Consists of methods or techniques that are used to detect attacks on the target network
- Retrospective Approaches: Consists of methods or techniques that examine the cause for attacks, and contain, remediate, eradicate, and recover from damage cause by the attack on the target network.
- Proactive Approaches: consist of methods or techniques that are used to make informed decisions on potential attacks in the future on the target network.
80
Continual/Adaptive Security Strategy:
Organizations should adopt adaptive security strategy, which involves implementing all four network security approaches.
81
4 Adaptive Security Activities:
- Protect: this includes a set of prior countermeasures taken towards eliminating all the possible vulnerabilities of the network
- Detect: This involves continuous monitoring of network and identifying abnormalities and their origins (Continuous Threat Monitoring)
- Respond: This involves a set of actions taken to contain, eradicate, mitigate, and recover from the impact of attacks on the network. (Incident Response)
- Predict: This involves identifying most likely attacks, targets, and methods prior to materialization of a potential attack. (risk & vulnerability assessment, attack surface analysis, threat intelligence)
82
Defense-in-depth Security Strategy:
- Protect endpoints
- Protect network
- Protect data
83
Administrative Security Controls:
Management implements admin access controls to ensure the safety of the organization.
84
Examples of Admin Security Controls:
- Regulatory framework compliance
- Security Policy
- Employee Monitoring and Supervising
- Information Classification
- Security awareness and Training
85
Physical Security Controls:
- Fences
- Locks
- Badge system
- Security guards
- Biometric system
- Mantrap doors
- Lighting
- Motion detectors
- CCTVs
- Alarms
86
Technical Security Controls::
A set of security measures taken to protect data and systems from unauthorized personnel.
87
Examples of Technical Security Controls:
- Access controls
- Authentication
- Authorization
- Auditing
- Security protocols
- Network security devices 1:46.13
88
Multi Layered Security:
1. Policies, Procedures, and Awareness
2. Physical
3. Perimeter: Server, DNS, routers, firewalls, switches
4. Internal Network
5. Host
6. Application
7. Data
