Chapter 4 Mod2: Understand Network cyber threats and attacks

Question 1

What is the goal of an attack involving spoofing?

Answer 1

The goal of a spoofing attack is to gain access to a target system through the use of a falsified identity.

Question 2

What types of logical identification can be targeted in a spoofing attack?

Answer 2

Spoofing can be used against IP addresses, MAC addresses, usernames, system names, wireless network SSIDs, email addresses, and many other types of logical identification.

Question 3

What characterizes an attack that attempts to misdirect legitimate users to malicious websites?

Answer 3

An attack that attempts to misdirect legitimate users to malicious websites through the abuse of URLs or hyperlinks in emails could be considered phishing.

Question 4

What is the primary goal of a denial-of-service (DoS) attack?

Answer 4

The primary goal of a denial-of-service (DoS) attack is to prevent legitimate activity on a victimized system by consuming its network resources.

Question 5

What distinguishes distributed denial-of-service (DDoS) attacks from DoS attacks?

Answer 5

Attacks involving numerous unsuspecting secondary victim systems are known as distributed denial-of-service (DDoS) attacks.

Question 6

What are the two main functions of a computer virus?

Answer 6

The two main functions of a computer virus are propagation and destruction.

Question 7

How does a computer virus spread, and what is required for its propagation?

Answer 7

A computer virus is a self-replicating piece of code that spreads without the consent of a user, but frequently with their assistance. The user has to click on a link or open a file for the virus to propagate.

Question 8

What distinguishes worms from other malicious code objects?

Answer 8

Worms pose a significant risk to network security with the same destructive potential as other malicious code objects, but they have an added twist—they propagate themselves without requiring any human intervention.

Question 9

What is a notable characteristic of worms regarding their propagation?

Answer 9

Worms propagate themselves without requiring any human intervention, making them distinct from other forms of malicious code.

Question 10

Why is a Trojan named after the ancient story of the Trojan horse?

Answer 10

A Trojan is named after the ancient story of the Trojan horse because it is a software program that appears benevolent but carries a malicious, behind-the-scenes payload.

Question 11

Provide an example of how Trojans are commonly used in cyber attacks.

Answer 11

Ransomware often uses a Trojan to infect a target machine. The Trojan then uses encryption technology to encrypt documents, spreadsheets, and other files stored on the system with a key known only to the malware creator.

Question 12

How do attackers position themselves in an on-path attack?

Answer 12

In an on-path attack, attackers place themselves between two devices, often between a web browser and a web server.

Question 13

What is another term commonly used to refer to on-path attacks?

Answer 13

On-path attacks are also known as man-in-the-middle (MITM) attacks.

Question 14

What characterizes a side-channel attack?

Answer 14

A side-channel attack is a passive, noninvasive attack aimed at observing the operation of a device.

Question 15

What are some methods used in side-channel attacks?

Answer 15

Methods in side-channel attacks include power monitoring, timing analysis, and fault analysis attacks.

Question 16

How is an Advanced Persistent Threat (APT) characterized?

Answer 16

APT refers to threats that demonstrate an unusually high level of technical and operational sophistication, spanning months or even years.

Question 17

Who is typically behind APT attacks?

Answer 17

APT attacks are often conducted by highly organized groups of attackers.

Question 18

What characterizes insider threats?

Answer 18

Insider threats arise from individuals who are trusted by the organization, and they may include disgruntled employees, employees involved in espionage, or even trusted users who fall victim to scams.

Question 19

Are insider threats always willing participants?

Answer 19

No, insider threats are not always willing participants. A trusted user who falls victim to a scam could become an unwilling insider threat.

Question 20

How is malware defined?

Answer 20

Malware is a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system, or otherwise annoying or disrupting the victim.

Question 21

How is ransomware defined?

Answer 21

Ransomware is malware used for the purpose of facilitating a ransom attack. These attacks often use cryptography to “lock” the files on an affected computer and demand the payment of a ransom fee for the “unlock” code.

Question 22

Does Intrusion Detection System (IDS) tools; Identify treats, Prevent treats of both?

Answer 22

Identify treats

Question 23

Does Host-based IDS (HIDS) tools; Identify treats, Prevent treats of both?

Answer 23

Identify treats

Question 24

Does Network-based IDS (NIDS) tools; Identify treats, Prevent treats of both?

Answer 24

Identify treats

Question 25

Does SIEM tools; Identify treats, Prevent treats of both?

Answer 25

Identify treats

Question 26

Does Anti-malware / Antivirus tools; Identify treats, Prevent treats of both?

Answer 26

Both

Question 27

Does Scans; Identify treats, Prevent treats of both?

Answer 27

Identify treats

Question 28

Does Firewall; Identify treats, Prevent treats of both?

Answer 28

Both

Question 29

Does Intrusion Protection System (IPS-NIPS/HIPS); Identify treats, Prevent treats of both?

Answer 29

Both

Question 30

What is an intrusion detection system (IDS)?

Answer 30

An IDS is a security mechanism that automates the inspection of logs and real-time system events to detect intrusion attempts and system failures.

Question 31

How does an IDS contribute to a defense-in-depth security plan?

Answer 31

An IDS is intended to be part of a defense-in-depth security plan, working with and complementing other security mechanisms like firewalls, although it does not replace them.

Question 32

What types of attacks can IDSs recognize?

Answer 32

IDSs can recognize attacks from external connections (e.g., from the internet) and attacks that spread internally (e.g., malicious worms).

Question 33

What is the primary goal of an IDS?

Answer 33

The primary goal of an IDS is to provide a means for a timely and accurate response to intrusions by detecting suspicious events and sending alerts or raising alarms.

Question 34

How are IDS types classified, and what are the main categories?

Answer 34

IDS types are commonly classified as host-based IDS (HIDS), which monitors a single computer or host, and network-based IDS (NIDS), which monitors a network by observing network traffic patterns.

Question 35

What does HIDS stand for?

Answer 35

HIDS stands for Host-based Intrusion Detection System.

Question 36

What does a HIDS monitor?

Answer 36

A HIDS monitors activity on a single computer, including process calls and information recorded in system, application, security, and host-based firewall logs.

Question 37

How does a HIDS differ from a NIDS in terms of examining events?

Answer 37

A HIDS can often examine events in more detail than a NIDS and can pinpoint specific files compromised in an attack.

Question 38

What specific benefit do HIDSs offer over NIDSs?

Answer 38

HIDSs can detect anomalies on the host system that NIDSs cannot detect. For example, they can detect infections where an intruder has infiltrated a system and is controlling it remotely.

Question 39

What is a drawback of HIDSs in terms of management compared to NIDSs?

Answer 39

HIDSs are more costly to manage than NIDSs because they require administrative attention on each system, whereas NIDSs usually support centralized administration.

Question 40

What limitation does a HIDS have in terms of detecting network attacks?

Answer 40

A HIDS cannot detect network attacks on other systems.

Question 41

What does NIDS stand for?

Answer 41

NIDS stands for Network Intrusion Detection System.

Question 42

What does a NIDS monitor and evaluate?

Answer 42

A NIDS monitors and evaluates network activity to detect attacks or event anomalies.

Question 43

Can a NIDS monitor the content of encrypted traffic?

Answer 43

No, a NIDS cannot monitor the content of encrypted traffic but can monitor other packet details.

Question 44

How does a NIDS monitor a large network?

Answer 44

A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.

Question 45

What types of network locations can sensors in a NIDS monitor traffic at?

Answer 45

Sensors in a NIDS can monitor traffic at routers, firewalls, network switches that support port mirroring, and other types of network taps.

Question 46

Does a NIDS have a significant negative effect on overall network performance?

Answer 46

No, a NIDS has very little negative effect on overall network performance.

Question 47

What limitation does a NIDS have regarding the success of an attack?

Answer 47

While a NIDS can detect the initiation of an attack or ongoing attacks, it can’t always provide information about the success of an attack or whether specific systems, user accounts, files, or applications were affected.

Question 48

What does SIEM stand for?

Answer 48

SIEM stands for Security Information and Event Management.

Question 49

What is the general idea behind a SIEM solution?

Answer 49

The general idea of a SIEM solution is to gather log data from various sources across the enterprise to better understand potential security concerns and apportion resources accordingly.

Question 50

How does SIEM contribute to security management?

Answer 50

SIEM tools collect information about the IT environment from many disparate sources to examine the overall security of the organization and streamline security efforts.

Question 51

How can SIEM systems be used in conjunction with other components?

Answer 51

SIEM systems can be used along with other components (defense-in-depth) as part of an overall information security program.

Question 52

What is the importance of keeping systems and applications up to date?

Answer 52

Keeping systems and applications up to date is crucial because vendors regularly release patches to correct bugs and security flaws, reducing the risk of threats.

Question 53

What does patch management ensure?

Answer 53

Patch management ensures that systems and applications are kept up to date with relevant patches.

Question 54

How can you reduce the risk of threats related to unnecessary services and protocols?

Answer 54

By removing or disabling unneeded services and protocols, the risk of threats can be reduced. Attackers cannot exploit vulnerabilities in services or protocols that are not running.

Question 55

What is the role of intrusion detection and prevention systems in threat prevention?

Answer 55

Intrusion detection and prevention systems observe activity, attempt to detect threats, provide alerts, and can often block or stop attacks

Question 56

How can anti-malware software contribute to threat prevention?

Answer 56

Anti-malware software serves as a primary countermeasure against various types of malicious code, such as viruses and worms.

Question 57

What is the role of firewalls in preventing threats?

Answer 57

Firewalls can prevent many different types of threats; network-based firewalls protect entire networks, while host-based firewalls protect individual systems.

Question 58

Why is the use of antivirus products strongly encouraged as a security best practice?

Answer 58

The use of antivirus products is encouraged as a security best practice to identify and protect against malware, meeting compliance requirements such as the Payment Card Industry Data Security Standard (PCI DSS).

Question 59

How do antivirus systems identify malware?

Answer 59

Antivirus systems identify malware by using the signature of known malware or by detecting abnormal activity on a system. This identification is done through various types of scanners, pattern recognition, and advanced machine learning algorithms.

Question 60

What types of threats do modern anti-malware solutions aim to detect?

Answer 60

Modern anti-malware solutions aim to detect not only viruses but also rootkits, ransomware, and spyware, providing a more holistic approach to cybersecurity.

Question 61

Besides virus protection, what additional features do many endpoint solutions include?

Answer 61

Many endpoint solutions include additional features such as software firewalls and Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) systems, extending their capabilities beyond virus protection.

Question 62

What is the primary function of a firewall in the context of computer security?

Answer 62

The primary function of a firewall in computer security is to act as a barrier that isolates network segments, preventing unauthorized access and the spread of security threats.

Question 63

How do firewalls enforce policies to enhance security?

Answer 63

Firewalls enforce policies by filtering network traffic based on a set of rules, determining which activities are allowed and which are restricted.

Question 64

Where should a firewall always be placed for optimal security?

Answer 64

A firewall should always be placed at internet gateways to control and filter traffic entering or leaving an organization’s network.

Question 65

What determines the placement of firewalls within an internal network?

Answer 65

The placement of firewalls within an internal network is determined by factors such as network zoning, segregation of different sensitivity levels, and the need to isolate high-risk activities from lower-risk ones.

Question 66

How have firewalls evolved over time to enhance security capabilities?

Answer 66

Firewalls have evolved to integrate various threat management capabilities, including proxy services, Intrusion Prevention Services (IPS), and tight integration with Identity and Access Management (IAM) environments. They operate at different layers, including Layers 2 (MAC addresses), 3 (IP ranges), and 7 (application programming interface and application firewalls).

Question 67

How does an Intrusion Prevention System (IPS) differ from an Intrusion Detection System (IDS)?

Answer 67

An IPS is a type of active IDS that not only detects attacks but also automatically attempts to block them before they reach the target systems. Unlike an IDS, the IPS is placed in line with the traffic, allowing it to choose what traffic to forward and what to block.

Question 68

What is the distinguishing feature of the placement of an IPS in the network?

Answer 68

An IPS is placed in line with the traffic, meaning that all network traffic must pass through the IPS. This enables the IPS to analyze the traffic and decide which to forward and which to block, preventing potential attacks from reaching the target.

Question 69

Why is the integration of IPS functionality into firewalls common?

Answer 69

IPS systems are most effective at preventing network-based attacks, and it is common to integrate the IPS function into firewalls. This integration enhances overall network security by combining intrusion prevention with traffic filtering capabilities.

Question 70

What are the two main types of IPS, similar to IDS?

Answer 70

Similar to IDS, there are Network-based IPS (NIPS), which monitors network traffic, and Host-based IPS (HIPS), which monitors activities on individual hosts or devices.

Question 71

How does the IPS contribute to network security in terms of attack prevention?

Answer 71

The IPS contributes to network security by actively preventing attacks from reaching target systems. It achieves this by analyzing incoming traffic, making decisions on what to allow or block, and acting in real-time to block potential threats.