Network Security Flashcards
A person, device, location, or information that SecOps aims to protect from attack
Asset
An action taken by a threat that exploits a vulnerability that attempts to either block authorized access to an asset, or to gain unauthorized access to an asset.
Attack
The potential of a threat to exploit a vulnerability via an attack.
Risk
The abbreviation for IT security operations; a discipline within IT responsible for protecting assets by reducing the risk of attacks.
SecOps
Something or someone that can exploit a vulnerability to attack an asset.
Threat
A weakness in software, hardware, facilities, or humans that can be exploited by a threat.
Vulnerability:
is an indispensable tool for detecting vulnerabilities within servers, computers, and network devices. can be cloud-based or may be installed as a software application on your laptop or a dedicated security server
vulnerability scanner
It is important to regularly run these scanners within your network for early identification and mitigation of new vulnerabilities.
The best electronic security in the world will not help you if your physical security is weak. Even the best encryption on the market today can be eventually overcome through sheer brute force methods of trying key after key until one finally unlocks your secrets.
Poor Physical Security Measures.
you need to protect your assets with both physical and electronic security measures.
*Poor Physical Security Measures
*Weak Passwords or Using Default Passwords
*Misconfigured Firewall Rules
*Personal Devices Within the Network
*Advanced Persistent Threats
*Zero-Day: Protecting Against the Unknown
some common vulnerabilities
the virus or malware remains undetected while it sits idle for long periods, perhaps months, just waiting for the right time
advanced persistent threat (APT)
it is lying in wait for some preordained time or a trigger from an outside source, at which point it will unleash its attack
It sits idle long enough to ensure that it has been added to as many backups as possible so that even if you restore from backup, you have no choice but to comply with the attacker.
advanced persistent threat (APT)
is not yet known by the public, meaning there is no patch available to mitigate this vulnerability.
zero-day
*Vulnerability Testers
*Blue, Red, White, and Purple Teams
*Hackers: White Hat, Black Hat, and Gray Hat
*Insider Threats
*Nation States
*Script Kiddies
Attacker Types
responsible for scanning servers and network devices for known vulnerabilities
vulnerability tester
team attempts to compromise the security
red team
team defends
blue team
neutral team that observes the festivities and may even serve as referee.
white team
the red and blue team engage, and then when certain success criteria are met, the teams debrief, cross-train each other, and repeat
purple team
also known as an iterate and improve model
hackers are IT professionals who specialize in penetrating or compromising network security but only to help an organization improve its own security posture. only perform the attacks when authorized to do so; to the fullest extent possible, they remain in compliance with any and all laws governing such behavior.
white hat hackers
may or may not be IT professionals but possess the knowledge and will to breach systems for profit
black hat hackers
a group of people who may or may not be IT professionals and may or may not choose to break laws in pursuit of their hacking goals. have no malicious intent in their actions; they may not have obtained permission to perform the attack.
gray hat hackers
access to systems, they are in a position to hack from the inside of the network, often undetected. not all threats are malicious in nature. Accidents happen, and if your account was granted extraordinary privileges, you could accidentally impact a large number of users with a single incorrect command
insider threats
key to success is restricting access to the minimum set of permissions needed to perform the job and enable audit logging of all administrative actions so that you can later determine the cause of mysterious changes.
intellectual property theft through industrial espionage is a very real concern for many companies. The bigger threat is that substantially larger budgets to hire hackers than the average criminal enterprise
nation states
copycat criminals of the hacking community. They typically hack out of pure curiosity or entertainment and often use poorly documented tools or scripts written by much more advanced hackers. have no formal InfoSec training and are typically not IT professionals. It is this lack of knowledge that contributes to the unpredictability of their actions and the random levels of damage that results from their attacks
Script kiddies
is someone who or something that can exploit a vulnerability to attack an asset. That means that a threat could be a person (knowingly or not), a software program, or even a natural disaster
threat
*eavesdropping methods
*discovery techniques
*service disruptions
*remote code execution.
*wiretapping
*port scanning
*taking control
*spoofing
*Denial-of-service (DOS)
*Social Engineering
common network attacks
any process that allows an attacker to electronically eavesdrop on a conversation, whether between two humans or two computers.
wiretapping
attack can also include putting special wiretaps in-line with a computer’s network cable and then using a device called a “packet sniffer” to listen and record the traffic on the network.
wiretapping
To combat this problem, some organizations exclusively use fiber optic cables in their high-security areas. Though fiber optic cables are not immune to all ____ attacks, they are immune to EMF listening devices because fiber optic cables use photons (light) instead of electrons to transmit information
wiretapping
application can systematically check each of these ports by sending thousands of TCP/IP packets to the victim’s computer, each packet on a different TCP port.
port scanning
for the attacker, this is easy because most network-accessible services open TCP ports to accept connections from legitimate client computers. An attacker just needs to send traffic to each and every port to learn which services are running
allows an attacker to take control of a database server by inserting special commands into input boxes instead of entering basic text
SQL injection
instead of entering regular text, the user or attacker enters a specially crafted string of text that includes SQL commands designed to take control of the server.
attack is made possible by applications that do not properly validate user input for extraneous content. In this case, the attacker purposefully enters text that is too large to fit within a region of memory
buffer overflow
This is not a regular or even random string of characters, though; it is compiled code that contains executable instructions that will grant the attacker control of the server. if the attacker correctly guesses the exact size of the memory buffer, the attacker can overflow it and trick the CPU into executing the rogue instructions.
There are two main protections against these attacks. The first is to review your source code and verify that all user input fields are checked for robust or unplanned values. Second, enable the NX-bit (no-execute) functionality on the physical computer or VM to tag memory buffers as containing storage (data) or CPU instructions (code). With the NX-bit enabled, the CPU will only execute the contents of memory buffers identified as code.
popular attack vector is buffer overflow.
well-known attack called SQL injection
To gain access to the information, the attacker needs to get into the middle of the conversation; however, to do so, the attacker must impersonate the sender and receiver of the traffic.
spoofing its identity
An attacker wants to intercept the communication between a client computer (client) and a server. The attacker will likely use two network interfaces, one that is spoofed to look like the server and another to look like the client. When the real client attempts to contact the server, the attacker’s computer responds to the client and captures the request. The attacker then replays that connection request from their computer using the network interface that has been spoofed to appear as the client. The server exchanges information with the attacker believing the attacker is the client, and then the attacker forwards the response back to the actual client so that no one notices the break in connection
spoofing
attackers use to cause an Ethernet switch to flood all traffic to every port on the switch, including the attacker’s computer.
spoofing variant: ARP poisoning
deny someone access to a service, usually by overwhelming the victim with enormous amounts of useless traffic.
denial-of-service (DoS)
use features within the ICMP, such as “ping.”
attackers learned that they could forge the source address of the echo-request, making the target computer believe the request came from another location and correspondingly send its echo-reply packets to another computer rather than the attacker. This redirection allows the attacker to continue attacking with minimal stress on the attacker’s computer.
DoS
a trick whereby the attacker would send the victim a malformed ICMP packet that would cause the victim’s computer to crash or stop functioning on the network
the ping of death
attack overwhelms a victim’s computer with an immense volume of ICMP echo-request packets, all containing a forged, randomized source address. The victim’s computer automatically begins sending ICMP echo-reply packets to all these forged source addresses, which eventually overwhelms the victim’s computer so that it cannot do its normal job.
ping flood
potentially thousands of computers will bombard the victim. the attacker sends a forged ICMP echo-request packet to the broadcast address of a large IP subnet, which means that a massive number of computers would all receive the message. the attacker specifies the victim’s address as the source address. As each of the hundreds or thousands of computers receives the ICMP echo-request packet, each will respond by sending an ICMP echo-reply packet to the victim’s address, thereby crippling its network connection.
Smurf attack
which cause the victim’s computer to consume excessive CPU time as it constantly sets up and tears down thousands of SSL encryption sessions over and over.
DDoS attack: SSL attacks
This is a man-in-the-middle attack where the attacker impersonates the sender and receiver of
the traffic. The server unknowingly exchanges information with the attacker, believing they are
the client, then the attacker forwards the information to the client so nobody notices a break in
connection.
spoofing
This form of attack can include putting special taps in-line with a computer’s network cable and
then using a packet sniffer to listen and record the traffic on the network.
wiretapping
If an attacker gains access to your files or to your physical computers, the attacker can simply
steal a copy of the data and crack encryption at their own pace.
poor physical security measures
social engineering
This is the act of manipulating human trust to gain access or information. Examples include
impersonation and phishing.
how does a Smurf attack operate?
it spoofs the source address for all ICMP packets.
A Smurf attack attempts to spoof the source address of ICMP packets and broadcast to the network in an attempt to flood it.
which software protection provides malware identification?
antivirus.
Antivirus software protects against malware, identifies it, quarantines it, and removes it.
which device provides web content filtering and URL scanning?
Web proxy.
A web proxy filters internet content and performs security checks on sites visited, files downloaded, etc.
is a server or device that is configured to look very authentic, potentially containing data that appears to be legitimate user data, or configuration files that seem authentic
honeypot
also known as a “tar pit” because it is intended to attract or distract would-be attackers from the actual targets on the network. The goal of the honeypot is to provide a false positive for hackers, whereby the attacker breaches the honeypot and believes the data it contains is the target’s actual data.
similar to a honeypot in that it contains data that is fictitious; however, the server is also designed to slow down the attacker so that tracing information can be obtained by the intrusion detection system (IDS).
tar pit
you will use multiple tools and methods together in an overlapping manner to create rings or layers of security. If one component is compromised, there should be at least one other obstacle to overcome before the attacker gains access to the system.
in-depth defense approach to network security
you will mix different methods of defense, such as using an application-aware firewall on the perimeter and then relying on an intrusion prevention system (IPS) within the network and firewall and anti-malware software on the servers.
plan should first help contain the damage from the attack, which may involve quarantining computers or severing network connections, and then work to remove the threat and clean up the damage.
response plan
be sure to develop and test your containment plans before an attack occurs
