Chapter 33 - Security Architectures

Question 1

Define Vulnerability

Answer 1

Anything that can be considered a weakness that can compromise the security of a network.

Question 2

Define Exploit

Answer 2

Anything that can be used to take advantage of a known Vulnerability

Question 3

Define Threat

Answer 3

Occurs when someone intends to exploit a vulnerability for malicious intent

Question 4

Define Mitigation Technique

Answer 4

Something used to prevent or counteract threats

Question 5

What is a Spoofing Attack?

Answer 5

• An attack in which someone replaces the source IP address/MAC address of a Packet/Frame with a fake one.

Question 6

What is a DOS attack?

Answer 6

• Denial of Service
• When an attacker is able to deplete a system of resources so much so that it is unable to provide services to legitimate users and potentially crashes.
• Can be a flood of UDP packets, TCP connections, or ICMP echo requests

Question 7

What is the difference between DOS and DDoS?

Answer 7

• A DoS attack generally only comes from a single device
• A DDoS (Distributed Denial of Service) attack will be Distributed to come from many devices that are all controlled by a central device. Known as a botnet.

Question 8

What different forms of attacks can be caused by address spoofing?

Answer 8

• DOS attacks
• Reflection attacks
• Amplification attacks
• Man-In-The-Middle attacks

Question 9

What is an example of a DOS attack?

Answer 9

• The attacker can send TCP SYN segments from a fake address to a server that will respond with a SYN-ACK.
• The connection will not be completed as the fake address will not receive the reply.
• The server will then keep the connection in its connection table until it times out but in the meantime many more of these connections can be started, causing the server’s connection table to become congested.
• (Other examples could be filling up a DHCP server’s leases with fake MACs to prevent legitimate users from getting addresses or giving an ARP table false information)

Question 10

What is a Reflection attack?

Answer 10

• The attacker will send traffic from the spoofed address of a live host to a server of some sort (the reflector)
• The reflector will send the response back to the victim instead of the attacker. If there are multiple reflectors involved then this can cause more issues.

Question 11

What is an Amplification attack?

Answer 11

• An attacker uses a protocol/service to amplify the traffic that it is already sending via reflection to a victim to overwhelm it.
• NTP and DNS can be utilised for amplification attacks.

Question 12

What is a Man-In-The-Middle attack?

Answer 12

• A form of attack in which an attacker places themself between the source and destination of traffic and can eavesdrop on and manipulate data in transit. One form of this uses ARP spoofing.
• In order to begin this type of Man-In-The-Middle attack, the attacker will listen for ARP requests being broadcast throughout the network.
• Once it receives a broadcast, it waits a short time (so that if the real host responds, its ARP record in all other hosts’ ARP tables will be overwritten) before it replies with a spoofed IP address (the one in the request) and its own MAC address.
• Traffic intended for the legitimate host will then be forwarded to the false host.

Question 13

What is a Reconnaissance Attack?

Answer 13

• Used to learn more information about a system prior to an attack in order to potentially do more damage.

Question 14

What are some of the tools that can be used for Reconnaissance attacks?

Answer 14

• nslookup - Used to find the address space of a company using an FQDN owned by that company
• whois/dig - Used to find extra DNS information about domain owners, contact information, mail servers, authoritative name servers, etc.
• Ping Sweeps - Used to ping all addresses in a targeted range to find out which hosts respond
• Port Scanning - Used to sweep a range of UDP and TCP ports to see if a host answers

Question 15

What are Buffer Overflow attacks?

Answer 15

• When an attacker purposefully sends data that is too large for the receiver’s buffer size and, if there is such a vulnerability, can cause data to overflow into other areas of memory. This can cause the system to run slow and potentially crash.
• Malicious code could also be stored inside this overflowed area and the receiver could accidentally run it.

Question 16

What is Malware?

Answer 16

• Malicious Software
• A type of Malware is a Trojan Horse which is manually implanted inside of software that looks legitimate
• Another type is a Virus which can spread easier by injecting itsself into an application which users may then transmit infecting other receivers
• Another type is a Worm which is able to spread itsself by replicating itsself and exploiting vulnerabilities on other systems to move between them and replicate further. These can congest the network and could also contain harmful payloads.

Question 17

Examples of Human Vulnerabilities

Answer 17

• Social Engineering
• Phishing
• Spear Phishing
• Whaling
• Pharming
• Watering Hole Attack

Question 18

What is Social Engineering?

Answer 18

• When an attacker poses as a legitimate user in order to manipulate someone to give them access to something or provide information that they shouldn’t

Question 19

What is Phishing?

Answer 19

• When attackers lure users onto malicious websites using an invite sent via email that could look convincing, threatening, etc.
• Can be used to steal information

Question 20

What is the difference between Spear Fishing and Whaling?

Answer 20

• Spear Phishing is a form of Phishing that is generally used to exploit a group of users with similar affiliations (e.g. users that work for the same company).
• Whaling is a form of Phishing that generally targets high profile users such as important government figures

Question 21

What is Vishing and Smishing?

Answer 21

• Vishing - Phishing done over voice calls
• Smishing - Phishing done over SMS

Question 22

What is Pharming?

Answer 22

• Similar to Phishing except the attacker uses a more direct approach. This approach is to compromise the services that normally direct users towards legitimate resources such as DNS.
• The way this is done via DNS is to edit the IP that a URL resolves to in order to direct the user to a malicious site.

Question 23

What is a Watering Hole attack?

Answer 23

• An attacker will determine what users frequently visit a site and deposit malware there to comrpomise them

Question 24

What is the difference between an Online password hack and an Offline password hack?

Answer 24

• Online - A hacker will attempt to guess a user’s password when prompted by the system
• Offline - A hacker will retrieve an encrypted password and then attempt to decode the password using other software

Question 25

What is a Dictionary Password attack?

Answer 25

• An attacker will use software to run through a given word list in order to discover a user’s password

Question 26

What is a Brute Force Password attack?

Answer 26

• An attacker will use software to run through every different combination of letters, numbers, and symbols in order to break into a system
• Very time and resource intensive

Question 27

Alternatives to passwords

Answer 27

• MFA
• Digital certificate with proof of authentication
• Biometrics (face or fingerprint ID)

Question 28

Mitigations for password attacks

Answer 28

• Policies put in place to ensure that passwords are a specific length and/or have a specific amount of numbers, letters, and symbols
• Policies that require passwords to be changed at regular intervals. This can stop brute force attacks from being possible

Question 29

What is AAA?

Answer 29

• Authentication, Authorisation, and Accounting
  - Authentication - Who is the user
  - Authorisation - What is the user allowed to do
  - Accounting - What did the user do
• Cisco uses ISE (Identity Services Engine) as its AAA platform
• AAA servers are normally centralised so that any changes made can be updated across all systems at once

Question 30

What are the two protocols that AAA servers can use?

Answer 30

• TACACS+
  - Cisco proprietary
  - Terminal Access Controller Access-Control System
  - Separates each AAA function
  - Communication is secured and encrypted over TCP port 49
• RADIUS
  - Widely used standard
  - Remote Authentication Dial In User Service
  - Combines Authentication and Authorisation into a single resource
  - Uses UDP port 1812 (authentication) and 1813 (accountng) but is not completely encrypted

Question 31

What aspects should a good Security Program aim to teach?

Answer 31

• User awareness - Users should be made aware of confidentiality, their own user details, potential threats, and guidelines that needs to be followed in order to maintain security
• User training - All users should be required to participate in periodic security training to reinforce security practices.
• Physical access control - Infrastructure locations should remain securely locked and only allowed access to particular users.

Question 32

What are the fundamental goals of security?

Answer 32

• Based on the CIA Triad
• Confidentiality - Only authorised Users should be able to access data
• Integrity - Data should be correct and authentic, and not modified by unauthorised users
• Availability - The network/systems should be operational and accessible to authorised users

Question 33

What is an example of a Spoofing Attack?

Answer 33

• DHCP Exhaustion (also an example of a DOS attack)
• An attacker sends DHCP Discover from fake MAC addresses
• The server responds and provides addresses to all of these with DHCP Offers.
• The DHCP leases table is filled up with false entries so that no one else can receive an address.

Question 34

What is Tailgating?

Answer 34

• When people simply walk behind users that have authorisation to enter an area that they don’t have authorisation for

Question 35

What is the benefit of MFA and biometrics?

Answer 35

• MFA uses:
  - Something you know (e.g. a password, pin, etc.)
  - Something you have (e.g. a notification on a phone app)
• Biometrics use:
  - Something you are (e.g. your face)

Question 36

What command do you use to enable aaa for login to a switch/router?

Answer 36

• ‘aaa new-model’ from global config
• Must be configured in order to configure aaa accounting