NETACAD 16 NETWORK SECURITY Flashcards
Who is a threat actor?
Intruders who gain access by modifying software or exploiting software vulnerabilities are called threat actors.
Describe 4 types of threats that arise after a threat actor gains access to the network
Information theft is breaking into a computer to obtain confidential information. Information can be used or sold for various purposes such as when someone is stealing proprietary information of an organization, like research and development data.
Data loss and manipulation is breaking into a computer to destroy or alter data records. An example of data loss is a threat actor sending a virus that reformats a computer hard drive. An example of data manipulation is breaking into a records system to change information, such as the price of an item.
Identity theft is a form of information theft where personal information is stolen for the purpose of taking over the identity of someone. Using this information, a threat actor can obtain legal documents, apply for credit, and make unauthorized online purchases. Identify theft is a growing problem costing billions of dollars per year.
Disruption of Service
Disruption of service is preventing legitimate users from accessing services to which they are entitled. Examples include denial of service (DoS) attacks on servers, network devices, or network communications links.
What is a vulnerability?
Vulnerability is the degree of weakness in a network or a device. Some degree of vulnerability is inherent in routers, switches, desktops, servers, and even security devices. Typically, the network devices under attack are the endpoints, such as servers and desktop computers.
What are the three primary vulnerabilities or weaknesses
technological, configuration, and security policy
Describe technological vulnerabilities
TCP/IP Protocol Weakness
Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Internet Control Message Protocol (ICMP) are inherently insecure.
Simple Network Management Protocol (SNMP) and Simple Mail Transfer Protocol (SMTP) are related to the inherently insecure structure upon which TCP was designed.
Operating System Weakness
Each operating system has security problems what must be addressed.
UNIX, Linux, Mac OS, Mac OS X, Windows Server 2012, Windows 7, Windows 8
They are documented in the Computer Emergency Response Team (CERT) archives at http://www.cert.org
Network Equipment Weakness Various types of network equipment, such as routers, firewalls, and switches have security weaknesses that must be recognized and protected against. Their weaknesses include password protection, lack of authentication, routing protocols, and firewall holes.
Describe configuration vulnerabilities
Unsecured user accounts User account information may be transmitted insecurely across the network, exposing usernames and passwords to threat actors.
System accounts with easily guessed passwords This common problem is the result of poorly created user passwords.
Misconfigured internet services Turning on JavaScript in web browsers enables attacks by way of JavaScript controlled by threat actors when accessing untrusted sites. Other potential sources of weaknesses include misconfigured terminal services, FTP, or web servers (e.g., Microsoft Internet Information Services (IIS), and Apache HTTP Server.
Unsecured default settings within products Many products have default settings that create or enable holes in security.
Misconfigured network equipment Misconfigurations of the equipment itself can cause significant security problems. For example, misconfigured access lists, routing protocols, or SNMP community strings can create or enable holes in security.
Describe policy vulnerabilities
Lack of written security policy A security policy cannot be consistently applied or enforced if it is not written down.
Politics Political battles and turf wars can make it difficult to implement a consistent security policy.
Lack of authentication continuity Poorly chosen, easily cracked, or default passwords can allow unauthorized access to the network.
Logical access controls not applied Inadequate monitoring and auditing allow attacks and unauthorized use to continue, wasting company resources. This could result in legal action or termination against IT technicians, IT management, or even company leadership that allows these unsafe conditions to persist.
Software and hardware installation and changes do not follow policy Unauthorized changes to the network topology or installation of unapproved application create or enable holes in security.
Disaster recovery plan is nonexistent The lack of a disaster recovery plan allows chaos, panic, and confusion to occur when a natural disaster occurs or a threat actor attacks the enterprise
Describe the four classes of physical threats
Hardware threats - This includes physical damage to servers, routers, switches, cabling plant, and workstations.
Environmental threats - This includes temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry).
Electrical threats - This includes voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss.
Maintenance threats - This includes poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling.
What is malware
Malware is short for malicious software. It is code or software specifically designed to damage, disrupt, steal, or inflict “bad” or illegitimate action on data, hosts, or networks. Viruses, worms, and Trojan horses are types of malware.
Describe viruses
A computer virus is a type of malware that propagates by inserting a copy of itself into, and becoming part of, another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range in severity from causing mildly annoying effects, to damaging data or software and causing denial of service (DoS) conditions. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after the virus infects it. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected email attachments.
Describe worms
Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. A worm does not need to attach to a program to infect a host and enter a computer through a vulnerability in the system. Worms take advantage of system features to travel through the network unaided.
Describe Trojan Horse
A Trojan horse is another type of malware named after the wooden horse the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (with excessive pop-up windows or changing the desktop) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojan horses are also known to create back doors to give malicious users access to the system.
Unlike viruses and worms, Trojan horses do not reproduce by infecting other files. Trojan horses must spread through user interaction such as opening an email attachment or downloading and running a file from the internet.
What are the categories of network attacks
Reconnaissance attacks - The discovery and mapping of systems, services, or vulnerabilities.
Access attacks - The unauthorized manipulation of data, system access, or user privileges.
Denial of service - The disabling or corruption of networks, systems, or services.
Describe reconnaissance attacks
For reconnaissance attacks, external threat actors can use internet tools, such as the nslookup and whois utilities, to easily determine the IP address space assigned to a given corporation or entity. After the IP address space is determined, a threat actor can then ping the publicly available IP addresses to identify the addresses that are active. To help automate this step, a threat actor may use a ping sweep tool, such as fping or gping. This systematically pings all network addresses in a given range or subnet. This is similar to going through a section of a telephone book and calling each number to see who answers.
Describe types of reconnaissance attack tools
Internet Queries
The threat actor is looking for initial information about a target. Various tools can be used, including Google search, the websites of organizations, whois, and more.
Ping Sweeps
The threat actor initiates a ping sweep to determine which IP addresses are active.
Port Scans
a threat actor performs a port scan on the discovered active IP addresses.