Chapter 4: Network Flashcards
DoS/DDoS attacks
The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)
Fragment Attacks
In a fragment attack, an attacker fragments traffic in such a way that a system is unable to put data packets back together.
Oversized Packet Attacks
Purposely sending a network packet that is larger than expected or larger than can be handled by the receiving system, causing the receiving system to fail unexpectedly.
Spoofing
Faking the sending address of a transmission to gain illegal entry into a secure system.
Man in the Middle Attacks
An attack where the adversary positions himself in between the user and the system so that he can intercept and alter data traveling between them.
Physical Ports
Physical ports are the ports on the routers, switches, servers, computers, etc. that you connect the wires, e.g., fiber optic cables, Cat5 cables, etc., to create a network.
Logical Ports
A logical port (also called a socket) is little more than an address number that both ends of the communication link agree to use when transferring data. Ports allow a single IP address to be able to support multiple simultaneous communications, each using a different port number. In the Application Layer of the TCP/IP model (which includes the Session, Presentation, and Application Layers of the OSI model) reside numerous application- or service-specific protocols. Data types are mapped using port numbers associated with services.
Three ways Handshake
SYN, SYN-ACK, ACK
TCP/IP
TCP/IP stands for Transmission Control Protocol/Internet Protocol.
TCP/IP is a set of standardized rules that allow computers to communicate on a network such as the internet.
5 layers:
- Physical Layer: The physical devices that connect computers
- Data Link Layer: Defines a common way of interpreting signals so that network devices can communicate (ex. ethernet).
- Network/Internet Layer: allows different networks to communicate with each other through devices known as routers (ex. IP).
- Transport layer: Sorts out which client and server programs are supposed to get that data. (ex. TCP, UDP)
- Application Layer: Browser, Email
VLAN
Virtual Local Area Network
A logical group of workstations, servers, and network devices that appear to be on the same LAN despite their geographical distribution.
VPN
Virtual Private Network
A virtual private network (VPN), built on top of existing networks, that can provide a secure communications mechanism for transmission between networks.
WLAN
Wireless Local Area Network
A group of computers and devices that are located in the same vicinity, forming a network based on radio transmissions rather than wired connections. A Wi-Fi network is a type of WLAN.
Zenmap
The graphical user interface (GUI) for the Nmap Security Scanner, an open-source application that scans networks to determine everything that is connected as well as other information.
Zero Trust
Removing the design belief that the network has any trusted space. Security is managed at each possible level, representing the most granular asset. Microsegmentation of workloads is a tool of the model.
PCI DSS
Payment Card Industry Data Security Standard
An information security standard administered by the Payment Card Industry Security Standards Council that applies to merchants and service providers who process credit or debit card transactions.
SMTP
Simple Mail Transport Protocol
The standard communication protocol for sending and receiving emails between senders and receivers. The SMTP is an application layer protocol that operates at level 7.
Protocols
A set of rules (formats and procedures) to implement and control some type of association (that is, communication) between systems.
Payload
Packet
Representation of data at Layer 3 of the Open Systems Interconnection (OSI) model.
ICMP
Internet Control Message Protocol
An IP network protocol standardized by the Internet Engineering Task Force (IETF) through RFC 792 to determine if a particular service or host is available.
IPv4
Internal Protocol version 4
Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks.
De-encapsulation
The opposite process of encapsulation, in which bundles of data are unpacked or revealed.
DNS
Domain Name Service
This acronym can be applied to three interrelated elements: a service, a physical server and a network protocol.
FTP
Port 21, File Transfer Protocol (FTP) sends the username and password using plaintext from the client to the server. This could be intercepted by an attacker and later used to retrieve confidential information from the server. The secure alternative, SFTP, on port 22 uses encryption to protect the user credentials and packets of data being transferred.
Encapsulation
Enforcement of data hiding and code hiding during all phases of software development and operational use. Bundling together data and methods is the process of encapsulation; its opposite process may be called unpacking, revealing, or using other terms. Also used to refer to taking any set of data and packaging it or hiding it in another data structure, as is common in network protocols and encryption.
Phishing
An attack that attempts to misdirect legitimate users to malicious websites through the abuse of URLs or hyperlinks in emails could be considered phishing.
Trojan
Named after the ancient story of the Trojan horse, the Trojan is a software program that appears benevolent but carries a malicious, behind-the-scenes payload that has the potential to wreak havoc on a system or network. For example, ransomware often uses a Trojan to infect a target machine and then uses encryption technology to encrypt documents, spreadsheets and other files stored on the system with a key known only to the malware creator.
Malware
A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity or availability of the victim’s data, applications or operating system or otherwise annoying or disrupting the victim.
Ransomware
Malware used for the purpose of facilitating a ransom attack. Ransomware attacks often use cryptography to “lock” the files on an affected computer and require the payment of a ransom fee in return for the “unlock” code.
Insider Threat
Insider threats are threats that arise from individuals who are trusted by the organization. These could be disgruntled employees or employees involved in espionage. Insider threats are not always willing participants. A trusted user who falls victim to a scam could be an unwilling insider threat.
On-path attack (MitM):
In an on-path attack, attackers place themselves between two devices, often between a web browser and a web server, to intercept or modify information that is intended for one or both of the endpoints. On-path attacks are also known as man-in-the-middle (MITM) attacks.
IDS
Intrusion Detection System
HIDS
Host-based Intrusion Detection System
A HIDS monitors activity on a single computer, including process calls and information recorded in system, application, security and host-based firewall logs. It can often examine events in more detail than a NIDS can, and it can pinpoint specific files compromised in an attack. It can also track processes employed by the attacker. A benefit of HIDSs over NIDSs is that HIDSs can detect anomalies on the host system that NIDSs cannot detect.
NIDS
Network-based Intrusion Detection System
A NIDS monitors and evaluates network activity to detect attacks or event anomalies. It cannot monitor the content of encrypted traffic but can monitor other packet details. A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console. These sensors can monitor traffic at routers, firewalls, network switches that support port mirroring, and other types of network taps.
Antivirus/anti-malware
Seeks to identify malicious software or processes
Scans
Evaluates the effectiveness of Security Controls
Firewalls
Filter Network Traffic, manages and controls network traffic and protects the network
IPS
Intrusion Protection System
SIEM
Security management involves the use of tools that collect information about the IT environment from many disparate sources to better examine the overall security of the organization and streamline security efforts. These tools are generally known as security information and event management (or S-I-E-M, pronounced “SIM”) solutions. The general idea of a SIEM solution is to gather log data from various sources across the enterprise to better understand potential security concerns and apportion resources accordingly.
SIEM systems can be used along with other components (defense-in-depth) as part of an overall information security program.
MOU
Memorandum of Understanding
MOA
Memorandum of Agreement
Network Segmentation
Network segmentation involves controlling traffic among networked devices. Complete or physical network segmentation occurs when a network is isolated from all outside communications, so transactions can only occur between devices within the segmented network.
DMZ
Demilitarised Zone
A DMZ is a network area that is designed to be accessed by outside visitors but is still isolated from the private network of the organization. The DMZ is often the host of public web, email, file and other resource servers.
Defence in Depth
Defense in depth uses multiple types of access controls in literal or theoretical layers to help an organization avoid a monolithic security stance.
NAC
Network Access Control
Network access control (NAC) is a security solution that enforces policy on devices that access networks to increase network visibility and reduce risk.
Micro-segmentation
Part of a zero-trust strategy that breaks LANs into very small, highly localized zones using firewalls or similar technologies. At the limit, this places firewall at every connection point.
OSI
The OSI model organises communicating systems according to 7 layers:
- Physical layer:
- Data Link layer
- Network layer
- Transport layer
- Session layer
- Presentation layer
- Application layer
IP
The Internet Protocol (IP) is a set of requirements for addressing and routing data on the Internet. IP can be used with several transport protocols, including TCP and UDP. Protocols. Network layer. How Internet works. Internet Protocol (IP) is known to be a level 3 protocol.
SNMP
Simple Network Management Protocol (SNMP) is a protocol used to configure and monitor devices attached to networks. It is an application-level protocol (level 7), and therefore the only option that is not from level 3.
IGMP
The Internet Group Management Protocol (IGMP) is a protocol that allows several devices to share one IP address so they can all receive the same data. IGMP is a network layer protocol used to set up multicasting on networks that use the Internet Protocol version 4 (IPv4). Specifically, IGMP allows devices to join a multicasting group.
Ranges of Private IP addresses
The ranges of IP addresses 10.0.0.0 to 10.255.255.254, 172.16.0.0 to 172.31.255.254, and 192.168.0.0 to 192.168.255.254 are reserved for private use
Port 80
Port 80 is reserved for plain HTTP connections.
Port 69
Port 69 is reserved for TFTP protocol.
Port 25
Port 25 is reserved for SMTP protocol.
Port 443
Port 443 is reserved for HTTPS connections.
IPv6
An IPv6 address is a 128-bit address represented as a sequence of eight groups of 16-bit hexadecimal values.
Example: 8be2:4382:8d84:7ce2:ec0f:3908:d29a:903a
Subnet mask
A subnet mask is a number that distinguishes between the network address and the host address. Subnetting divides a network into two or more subnets
Standard temperature for server room
- 18 to 27 Celsius
- 3 temperature sensors: one at the top, one in the middle and one at the bottom.
APT
Advanced Persistent Threat
Port numbers ranges
Port numbers are divided into three ranges:
- Known Ports (0-1023)
- Registered Ports (1024-49151)
- Dynamic or Private Ports (49152-65535).
The dynamic or private ports are those from 49152 to 65535. These ports are typically used for ephemeral ports, which are temporary and only used for the duration of a specific communication session
Ping command
The ‘ping’ command is a common network diagnostic tool used to test the availability of a host by measuring the round-trip time for Internet Control Message Protocol (ICMP) echo requests messages to the target host. If the server is unavailable, ‘ping’ will display a timeout.
Port 21
FTP File Transfer Protocol
Port 22
SFTP Secure File Transfer Protocol
Port 23
Telnet
Port 25
Port 25, Simple Mail Transfer Protocol (SMTP) is the default unencrypted port for sending email messages. Since it is unencrypted, data contained within the emails could be discovered by network sniffing.
Port 37
Port 37, Time Protocol, may be in use by legacy equipment and has mostly been replaced by using port 123 for Network Time Protocol (NTP). NTP on port 123 offers better error-handling capabilities, which reduces the likelihood of unexpected errors.
Port 53
Port 53, Domain Name Service (DNS), is still used widely. However, using DNS over TLS (DoT) on port 853 protects DNS information from being modified in transit.
Port 143
Port 143, Internet Message Access Protocol (IMAP) is a protocol used for retrieving emails. IMAP traffic on port 143 is not encrypted and susceptible to network sniffing. The secure alternative is to use port 993 for IMAP, which adds SSL/TLS security to encrypt the data between the mail client and the mail server.
Port 161/162
Ports 161 and 162, Simple Network Management Protocol, are commonly used to send and receive data used for managing infrastructure devices.
Port 445
Port 445, Server Message Block (SMB), is used by many versions of Windows for accessing files over the network. Files are transmitted unencrypted, and many vulnerabilities are well-known.
Port 389
Port 389, Lightweight Directory Access Protocol (LDAP), is used to communicate directory information from servers to clients. This can be an address book for email or usernames for logins. The LDAP protocol also allows records in the directory to be updated, introducing additional risk.
Port 443
HTTPS
HyperText Transfer Protocol Secure
Port 445
SMB
Server Message Block
Port 445
SMB
Server Message Block
Port 3389
RDP
Remote Desktop Protocol
