Chapter 10 Flashcards
Two ways to protect malware (and their advantages and disadvantages):
1) signature-based
Advantage: Accuracy is really high.
Disadvantage: You will miss new attacks, they can easily pass checking.
2) anomaly-based
compares against baseline traffic on network
Advantage: Accomodates new types of attacks
Disadvantage: “operation i usually see is different”
May generate false positive
Where to focus for Network Security (4 points)?
- Protecting networks
- Protecting network traffic
- Mobile device security
- Network security tools
A well-configured and patched network is the _______ of any security program
foundation
What is Network segmentation?
• Divide a network into multiple smaller independent networks, called a subnet
How can we control the flow of traffic between subnets?
o Allowing or disallowing traffic
o Blocking the traffic entirely
We can control traffic flow within the subnet for _______ purposes
troubleshooting
True or False: Traffic monitoring is easier in subnets
True
Why do we funnel Network Traffic through choke points?
to inspect, filter, and control the traffic
What are Choke points?
o Routers that move traffic from one subnet to another
o Firewalls or proxies that control traffic moving within, into, or out of our networks or portions of our networks
o Application proxies that filter the traffic for particular applications such as Web or e-mail traffic
Choke points come with some risk because if they ____ the network is _______
fail
compromised
“Choke points come with some risk because if they fail the network is compromised”
Redundancy helps to…
mitigate risk to our networks
Technical issues or attacks may impact network _______ devices; hence, network operations.
infrastructure
Good network design considers planned ________ for devices failing, connectivity loss etc.
redundancy
Give an example of planning for redundancy:
In the even of a DDoS attack to a border device:
oRedundancy will allow us switch to a different connection to the Internet, or toute traffic through a different device until we solve current issue
What is a firewall?
A mechanism for maintaining control over the traffic that flows into and out of our network
Where should we place firewalls, typically?
- Typically on the border between our internal network and the Internet
- Can also be placed within our network for access control
What should we filter with firewalls?
Based on a variety of factors and largely depends on the complexity of the firewall
• Example: we may allow Web and e-mail traffic to pass, but block everything else
What is Packet Filtering?
- Inspecting contents of each packet individually to make a decision
- Based on the source and destination IP addresses, the port number, and the protocol being used
_____ _______ is one of the oldest and simplest of firewall technologies
Packet Filtering
Which firewall has the disadvantage that “it is possible to slip attacks through this type of firewall as packets are inspected individually”
Packet Filtering
What is the function of a Stateful Firewall?
Same working principle as in packet filtering, but a Stateful Firewall keeps track of the traffic at a granular level
A stateful firewall is able to watch the traffic over a ____ _______.
given connection
The connection state, as monitored by a stateful firewall, is maintained in a ____ ____.
state table
A given connection is defined by:
the source and destination IP addresses, the ports being used, and the already existing network traffic
True or False? A stateful firewall allows traffic that is part of a new or already established connection.
True
Difference between stateful firewall and packet inspection?
Stateful firewall assesses an entire connection while packet inspection is about inspecting individual packets
Best security policy is to put these two together
Most stateful firewalls can also function as a _____ ______ firewall, often combining the two forms of filtering.
packet filtering
A stateful firewall that also has a packet filtering component can do the following (2 objectives):
- Can identify and track the traffic related to a particular user initiated connection to a Web site
- Knows when the connection has been closed and further traffic should not legitimately be present
Example of a scanning tool?
Nmap
True or False: Packet filtering and stateful firewalls only inspect the structure of packets without inspecting the content.
True
______ adds extra layer of intelligence to firewalls through packet-content inspection.
Deep Packet Inspection
Deep Packet Inspection can block a large number of attacks at the price of ____.
delay
Deep Packet Inspection introduces ______ issue as content of our packets are inspected.
privacy
Proxy servers are…
A specialized variant of a firewall that can serve as a choke point
Proxy servers offer these functionalities (2):
- Offer security and performance by filtering unwanted traffic
- Allow us to log the traffic that goes through them for later inspection
What are some applications of proxy servers (3)?
Applications:
•Spam, Web traffic, and malware filtering
True of False: Nmap is a very useful tool for both OS and network
True
What is a Demilitarized Zone (DMZ) as it pertains to network security?
A combination of a network design feature and a protective device such as a firewall
What are DMZs used for?
Used to offer security for mail servers, proxy servers, software as a service application, and Web servers
Draw a diagram of a DMZ
https://i.imgur.com/oiFFYDN.png
What does IDS stand for in network security?
Intrusion Detection Systems
What is penetration testing?
Actively trying to break the system and analyze its level of security that way
What does an Intrusion Detection System do?
monitors networks, hosts, or applications to which it is connected for unauthorized activity
What are 3 types of IDS?
- Host-based intrusion detection systems (HIDSes)
- Application protocol-based intrusion detection systems (APIDSes)
- Network-based intrusion detection systems (NIDSes)
What does NIDSes stand for?
Network-based intrusion detection systems
What does APIDSes stand for?
Application protocol-based intrusion detection systems
What does HIDSes stand for?
Host-based intrusion detection systems
Placement of ______ important to efficiently monitor ongoing network traffic without overwhelming the _____.
NIDSes
Placement of NIDSes important to efficiently monitor ongoing network traffic without overwhelming the NIDSes.
Draw a diagram of an IDS:
https://i.imgur.com/ureBoKc.png
NIDSes may miss _____ _____ _____.
packet crafting attacks
What are packet crafting attacks?
- specifically designed packets of traffic that carry attacks or malicious code
- designed to avoid detection by IDSes, firewalls, and other similar devices
Common defense in-depth security program combine _____ and _____.
firewalls and IDSs
What is the difference between Signature-based detection and Anomaly-based detection in an IDS? (diagram)
https://i.imgur.com/gIHZNre.png
True of false: Signature-based detection does not work similar to most antivirus systems.
False: Signature-based detection does works similar to most antivirus systems.
Signature-based detection maintains a database of _____ that signal a particular type of attack
It compares incoming traffic to those signatures.
signatures
Signature-based detection is usually precise if the signature _______ is up-to-date
database
True of False: Attackers may test crafted packets on the same IDS tools that we use to avoid our security measures
True
Anomaly-based detection uses a ______ of normal traffic and activity on the network
baseline
________-based detection measures the present state of traffic against this baseline
Anomaly
True or False: Anomaly-based detection is useful to detect new attacks or attacks that have been deliberately assembled to avoid IDSes.
True
What is a disadvantage of anomaly-based detection?
It has a high rate of false positives compared to the signature-based IDSes (if the traffic on the network changes from the baseline, anomaly-based detection may consider that as an attack)
True or False: we can combine both detection anomaly-based and signature-based methods.
True
When data travel across networks it can be exposed to _____ people. (If we use applications or protocols that do not encrypt what they are sending over the network)
unwanted
A ______ network is more prone to attack.
Wireless
An open wireless network for public access does not offer any encryption.
How can we ensure protection over wireless networks?
Deploy VPNs
Virtual private networks allow us to…
send sensitive traffic over unsecure networks
True or False: VPNs can create a secure connection to the private network of an organization
True
Draw a diagram of a VPN:
https://i.imgur.com/RpH3CpA.png
A VPN connection is called a ______.
tunnel (An encrypted connection between two end points)
In one end of the connection there is a VPN _____ application and the other end hosts a VPN ______.
client
concentrator
In one end of the connection there is a VPN client application and the other end hosts a VPN concentrator.
The client uses a software to authenticate to the VPN ______.
concentrator
What are the advantages of VPN?
- Allow us access the internal resources of our organization
- Protect traffic that is sent over untrusted connections
- Allowing us to protect the contents of traffic
o from logging by our ISPs or being sniffed by others on the same network, to obscure our geographical location and bypass location oriented blocking
•Useful in peer-to-peer (P2P) file-sharing services
o VPNs can allow both the traffic and the actual IP addresses to remain hidden
What is a Rogue access point (RAP)?
placing an access point on our wireless network without authorization
True or False: If a RAP is set up with poor or no security, it will allow anyone within range of the access point access our network.
True
How can we Avoid Rogue access points (RAPs)?
Carefully document the legitimate devices that are part of our wireless network infrastructure and regularly scan for additional devices using wireless scanning tool
How can we protect traffic passing through the legitimate devices in our network?
Data encryption
The most common encryption for 802.11 devices
are (3):
o Wired Equivalent Privacy (WEP)
o Wi-Fi Protected Access (WPA), and
o Wi-Fi Protected Access version 2 (WPA2)
____ is the most current encryption and offers the strongest inherent security.
WPA2
File Transfer Protocol (FTP) is for ______ ____.
transferring file
_____ is for interacting with remote machines.
Telnet
Post Office Protocol (POP) for _____ ___.
retrieving e-mail
True or False: We must use Secure Shell (SSH) instead of Telnet.
True
We must use _______________ instead of FTP, which is also SSH based.
Secure File Transfer Protocol (SFTP)
SSH supports many types of traffic over it such as (3 items):
o It can be used for file transfers and terminal access
o when connecting to a remote desktop
o communicating over a VPN
The encryption used by SSH is ____, a public key encryption algorithm
RSA
What is RSA?
a public key encryption algorithm
What is a mobile device?
Any device that can access external systems or be acceded while not behind the organizations’ security infrastructure
o Smartphones, tablets, smartwatches, USB, laptops, etc
What are Applications of a mobile device?
Send and receive e-mail, surf the web, manipulate documents, play videos, listen to music, play games, etc.
What are some characteristics of a mobile device?
o Powerful hardware resources and capabilities
o Connected to a network of some variety at all times
o They move in and out of environments with regularity
o Store and transmit data without notice
o May or may not be compliant with basic security measures
What do we want to manage for mobile devices?
oPatching and software upgrades
oForce changing of passwords at some interval
oRegulate and track installed software
oAdjust settings to a standard dictated by our policies
An MDM solution mostly utilize an agent on the mobile device to enforce a certain configuration. These agents…
o Regulate access to enterprise resources, such as e-mail, calendaring, or network resources
o Can discontinue access by the client
Many MDM solutions enable the device to be remotely ____ or disabled.
wiped
In order to reduce load on administrative resources and enable a greater uniformity across devices…
we can try to manage both mobile and nonmobile devices using the same tools and techniques
BYOD (Bring Your Own Device)
An organization’s strategy and policies regarding the use of personal versus corporate devices either:
oAllow only corporate-owned devices to interact with enterprise resources
oAllow only personal devices
oAny combination in between
Allow only Corporate-owned Devices
Enables more uniform and secure base of mobile devices for the organization to manage
Management and policies:
o We may disallow the use of personal e-mail and file-sharing applications
o Disable the capability of installing new applications that are not business related
o We can also force users to install updates and security patches, and change their password regularly
Disadvantages of Allowing only Personal Devices:
•not easy to deploy a uniform and secure MDM
We can have a minimal control over personal devices
o For example, connecting them to a centralized mail server, such as Microsoft Exchange
•Good choice for a very small organization with minimal resources to administer a complex mobile infrastructure
To enable a balance between cost and risk management
Allow Personal and Corporate-owned Devices
We deploy penetration testing in a regular basis to…
o To catch up with the environmental changes
o To accommodate new attacks
We can test security tools using a Security Live CD distributions that come with all of the tools preconfigured
Give an example.
For example: Kali
To detect unauthorized devices like Rogue APs, some software we can use are (3 examples):
Kismet:
oRuns on Linux and can be found on the Kali distribution
oCommonly used to detect wireless APs
•NetStumbler:
oSimilar to Kismet; runs on Windows
•coWPAttyand Aircrack-NG
o To break through the different varieties of encryption
o Cracking WEP, WPA, and WPA2
What are port scanners?
tools for discovering the networks and systems that are in our environment
Two main categories of scanners:
o port scanners
o vulnerability scanners
What is Network mapper (Nmap)?
o a port scanner
o can also search for hosts on a network
o Identify the operating systems those hosts are running
o detect the versions of the services running on open ports
What are packet sniffers?
Tools that sniff network traffic
What is Tcpdump?
o A command-line tool that allows us to monitor the activities of the network to which we are attached
o Can filter traffic
o Usually runs only on UNIX-like operating systems
o A version has been ported to Windows, called WinDum
What is Wireshark?
o Capable of intercepting traffic from a wide variety of wired and wireless sources
o It includes a large number of filtering, sorting, and analysis tools
o Can also import data from other applications like Tcpdump
o Agreat tool for troubleshooting traffic on the networ
_____ is a specialized wireless networks sniffer
Kismet
_______ ______ ______ from Fluke Networks is a hardware packet sniffer
OptiViewPortable Network Analyzer
usually very expensive and well beyond the budget of the average network or security professional
What is a honeypot?
A honeypot can detect, monitor, and sometimes tamper with the activities of an attacker
Honeypots are configured to deliberately display ______ to attract an attacker
vulnerabilities
Examples of honeypots (3):
o An intentionally vulnerable service
o An outdated and unpatched operating system
o A network share named “top secret UFO documents”
We deploy honeypots to…
o To provide an early warning system for a corporation
o As a method of researching what methods attackers are using
o As an intentional target to monitor the activities of malware in the wild
______ are collections of honeypots with varying configurations and vulnerabilities
Honeynets
Honeynets generally come with some centralized instrumentation for ______ all the honeypots on the network
monitoring
True or False: Honeynets can be particularly useful for large-scale monitoring of malware activity
True
The firewall tool Hping3 can:
• Can construct specially crafted Internet Control Message Protocol (ICMP) packets for firewall testing
• We can also script the activities of Hping3 to test the responses of firewalls and IDSes
o To get an idea of the rules on which they are operating
• It can perform port scanning
Network-focused business (eBay and Amazon) must…
o Must have rigid security measures in place
o Must continuously evaluate them in order to find weaknesses
Secure network design involves:
- Segmentation, Choke points, and Redundancy
- Implement security devices such as firewalls and IDSes to protect us both inside and outside our networks
We protect our traffic by…
o We use VPNs to secure our connections over untrusted networks
o We can use security measures specific to wireless networks
o We can make use of secure protocols as a general security measure
We use security tools:
o Kismet or NetStumbler in wireless networks
o Wiresharkor Tcpdumpto network trafficoNmapto scan network devices
o hping3 to test firewalls
We place honeypots:
o To attract and study attackers and their tools and to alert us to their presence
The _____ of an IDS is import for efficient network monitoring
a. Features
b. Processing power
c. Placement
d. Memory
c.Placement
An unauthorized Access Point in a wireless network is called a:
a. Sniffer
b. Rogue
c. Booster
d. None of the above
b.Rogue
The most common protocol for wireless devices is
a. 802.16
b. 802.15
c. 802.11
d. 802.20
c.802.11
Secure Shell (SSH) uses ______ encryption algorithm
a. DES
b. DES3
c. RSA
d. RSA3
c.RSA
Nmap stands for
a. Nice map
b. Niche map
c. Network map
d. Network mapper
d.Network mapper
What are the drawbacks of Network-based Intrusion Detection Systems?
Answer: NIDSes may miss to detect packet crafting attacks. They may suffer from false positive. They may not process encrypted packets.
Compare and contrast signature-based and anomaly-based IDS detection methods?
Answer: Signature-based IDSes maintain a database of the signatures that might signal a particular type of attack and compare incoming traffic to those signatures. The problem is in case of a new type of attack it may fail to detect that attack. Anomaly-based IDSes typically work by taking a baseline of the normal traffic and activity taking place on the network. They can measure the present state of traffic on the network against
this baseline to detect attack. They are better to detect new attacks.
What are the advantages of using VPNs?
Answer: VPNs offer a secure connection between two end points over an untrusted network. Also, they protect the content of traffic. VPNs are useful in peer-to-peer file sharing/
