Network Security

Question 1

A person, device, location, or information that SecOps aims to protect from attack

Answer 1

Asset

Question 2

An action taken by a threat that exploits a vulnerability that attempts to either block authorized access to an asset, or to gain unauthorized access to an asset.

Answer 2

Attack

Question 3

The potential of a threat to exploit a vulnerability via an attack.

Answer 3

Risk

Question 4

The abbreviation for IT security operations; a discipline within IT responsible for protecting assets by reducing the risk of attacks.

Answer 4

SecOps

Question 5

Something or someone that can exploit a vulnerability to attack an asset.

Answer 5

Threat

Question 6

A weakness in software, hardware, facilities, or humans that can be exploited by a threat.

Answer 6

Vulnerability:

Question 7

is an indispensable tool for detecting vulnerabilities within servers, computers, and network devices. can be cloud-based or may be installed as a software application on your laptop or a dedicated security server

Answer 7

vulnerability scanner
It is important to regularly run these scanners within your network for early identification and mitigation of new vulnerabilities.

Question 8

The best electronic security in the world will not help you if your physical security is weak. Even the best encryption on the market today can be eventually overcome through sheer brute force methods of trying key after key until one finally unlocks your secrets.

Answer 8

Poor Physical Security Measures.
you need to protect your assets with both physical and electronic security measures.

Question 9

*Poor Physical Security Measures
*Weak Passwords or Using Default Passwords
*Misconfigured Firewall Rules
*Personal Devices Within the Network
*Advanced Persistent Threats
*Zero-Day: Protecting Against the Unknown

Answer 9

some common vulnerabilities

Question 10

the virus or malware remains undetected while it sits idle for long periods, perhaps months, just waiting for the right time

Answer 10

advanced persistent threat (APT)
it is lying in wait for some preordained time or a trigger from an outside source, at which point it will unleash its attack

Question 11

It sits idle long enough to ensure that it has been added to as many backups as possible so that even if you restore from backup, you have no choice but to comply with the attacker.

Answer 11

advanced persistent threat (APT)

Question 12

is not yet known by the public, meaning there is no patch available to mitigate this vulnerability.

Answer 12

zero-day

Question 13

*Vulnerability Testers
*Blue, Red, White, and Purple Teams
*Hackers: White Hat, Black Hat, and Gray Hat
*Insider Threats
*Nation States
*Script Kiddies

Answer 13

Attacker Types

Question 14

responsible for scanning servers and network devices for known vulnerabilities

Answer 14

vulnerability tester

Question 15

team attempts to compromise the security

Answer 15

red team

Question 16

team defends

Answer 16

blue team

Question 18

neutral team that observes the festivities and may even serve as referee.

Answer 18

white team

Question 19

the red and blue team engage, and then when certain success criteria are met, the teams debrief, cross-train each other, and repeat

Answer 19

purple team
also known as an iterate and improve model

Question 20

hackers are IT professionals who specialize in penetrating or compromising network security but only to help an organization improve its own security posture. only perform the attacks when authorized to do so; to the fullest extent possible, they remain in compliance with any and all laws governing such behavior.

Answer 20

white hat hackers

Question 21

may or may not be IT professionals but possess the knowledge and will to breach systems for profit

Answer 21

black hat hackers

Question 22

a group of people who may or may not be IT professionals and may or may not choose to break laws in pursuit of their hacking goals. have no malicious intent in their actions; they may not have obtained permission to perform the attack.

Answer 22

gray hat hackers

Question 23

access to systems, they are in a position to hack from the inside of the network, often undetected. not all threats are malicious in nature. Accidents happen, and if your account was granted extraordinary privileges, you could accidentally impact a large number of users with a single incorrect command

Answer 23

insider threats
key to success is restricting access to the minimum set of permissions needed to perform the job and enable audit logging of all administrative actions so that you can later determine the cause of mysterious changes.

Question 24

intellectual property theft through industrial espionage is a very real concern for many companies. The bigger threat is that substantially larger budgets to hire hackers than the average criminal enterprise

Answer 24

nation states

Question 25

copycat criminals of the hacking community. They typically hack out of pure curiosity or entertainment and often use poorly documented tools or scripts written by much more advanced hackers. have no formal InfoSec training and are typically not IT professionals. It is this lack of knowledge that contributes to the unpredictability of their actions and the random levels of damage that results from their attacks

Answer 25

Script kiddies

Question 26

is someone who or something that can exploit a vulnerability to attack an asset. That means that a threat could be a person (knowingly or not), a software program, or even a natural disaster

Answer 26

threat

Question 27

*eavesdropping methods
*discovery techniques
*service disruptions
*remote code execution.
*wiretapping
*port scanning
*taking control
*spoofing
*Denial-of-service (DOS)
*Social Engineering

Answer 27

common network attacks

Question 28

any process that allows an attacker to electronically eavesdrop on a conversation, whether between two humans or two computers.

Answer 28

wiretapping

Question 29

attack can also include putting special wiretaps in-line with a computer’s network cable and then using a device called a “packet sniffer” to listen and record the traffic on the network.

Answer 29

wiretapping

Question 30

To combat this problem, some organizations exclusively use fiber optic cables in their high-security areas. Though fiber optic cables are not immune to all ____ attacks, they are immune to EMF listening devices because fiber optic cables use photons (light) instead of electrons to transmit information

Answer 30

wiretapping

Question 30

application can systematically check each of these ports by sending thousands of TCP/IP packets to the victim’s computer, each packet on a different TCP port.

Answer 30

port scanning
for the attacker, this is easy because most network-accessible services open TCP ports to accept connections from legitimate client computers. An attacker just needs to send traffic to each and every port to learn which services are running

Question 31

allows an attacker to take control of a database server by inserting special commands into input boxes instead of entering basic text

Answer 31

SQL injection
instead of entering regular text, the user or attacker enters a specially crafted string of text that includes SQL commands designed to take control of the server.

Question 32

attack is made possible by applications that do not properly validate user input for extraneous content. In this case, the attacker purposefully enters text that is too large to fit within a region of memory

Answer 32

buffer overflow
This is not a regular or even random string of characters, though; it is compiled code that contains executable instructions that will grant the attacker control of the server. if the attacker correctly guesses the exact size of the memory buffer, the attacker can overflow it and trick the CPU into executing the rogue instructions.

Question 33

There are two main protections against these attacks. The first is to review your source code and verify that all user input fields are checked for robust or unplanned values. Second, enable the NX-bit (no-execute) functionality on the physical computer or VM to tag memory buffers as containing storage (data) or CPU instructions (code). With the NX-bit enabled, the CPU will only execute the contents of memory buffers identified as code.

Answer 33

popular attack vector is buffer overflow.
well-known attack called SQL injection

Question 34

To gain access to the information, the attacker needs to get into the middle of the conversation; however, to do so, the attacker must impersonate the sender and receiver of the traffic.

Answer 34

spoofing its identity

Question 35

An attacker wants to intercept the communication between a client computer (client) and a server. The attacker will likely use two network interfaces, one that is spoofed to look like the server and another to look like the client. When the real client attempts to contact the server, the attacker’s computer responds to the client and captures the request. The attacker then replays that connection request from their computer using the network interface that has been spoofed to appear as the client. The server exchanges information with the attacker believing the attacker is the client, and then the attacker forwards the response back to the actual client so that no one notices the break in connection

Answer 35

spoofing

Question 36

attackers use to cause an Ethernet switch to flood all traffic to every port on the switch, including the attacker’s computer.

Answer 36

spoofing variant: ARP poisoning

Question 37

deny someone access to a service, usually by overwhelming the victim with enormous amounts of useless traffic.

Answer 37

denial-of-service (DoS)
use features within the ICMP, such as “ping.”

Question 38

attackers learned that they could forge the source address of the echo-request, making the target computer believe the request came from another location and correspondingly send its echo-reply packets to another computer rather than the attacker. This redirection allows the attacker to continue attacking with minimal stress on the attacker’s computer.

Answer 38

DoS

Question 39

a trick whereby the attacker would send the victim a malformed ICMP packet that would cause the victim’s computer to crash or stop functioning on the network

Answer 39

the ping of death

Question 40

attack overwhelms a victim’s computer with an immense volume of ICMP echo-request packets, all containing a forged, randomized source address. The victim’s computer automatically begins sending ICMP echo-reply packets to all these forged source addresses, which eventually overwhelms the victim’s computer so that it cannot do its normal job.

Answer 40

ping flood

Question 41

potentially thousands of computers will bombard the victim. the attacker sends a forged ICMP echo-request packet to the broadcast address of a large IP subnet, which means that a massive number of computers would all receive the message. the attacker specifies the victim’s address as the source address. As each of the hundreds or thousands of computers receives the ICMP echo-request packet, each will respond by sending an ICMP echo-reply packet to the victim’s address, thereby crippling its network connection.

Answer 41

Smurf attack

Question 42

which cause the victim’s computer to consume excessive CPU time as it constantly sets up and tears down thousands of SSL encryption sessions over and over.

Answer 42

DDoS attack: SSL attacks

Question 43

This is a man-in-the-middle attack where the attacker impersonates the sender and receiver of
the traffic. The server unknowingly exchanges information with the attacker, believing they are
the client, then the attacker forwards the information to the client so nobody notices a break in
connection.

Answer 43

spoofing

Question 44

This form of attack can include putting special taps in-line with a computer’s network cable and
then using a packet sniffer to listen and record the traffic on the network.

Answer 44

wiretapping

Question 45

If an attacker gains access to your files or to your physical computers, the attacker can simply
steal a copy of the data and crack encryption at their own pace.

Answer 45

poor physical security measures

Question 46

social engineering

Answer 46

This is the act of manipulating human trust to gain access or information. Examples include
impersonation and phishing.

Question 47

how does a Smurf attack operate?

Answer 47

it spoofs the source address for all ICMP packets.

A Smurf attack attempts to spoof the source address of ICMP packets and broadcast to the network in an attempt to flood it.

Question 48

which software protection provides malware identification?

Answer 48

antivirus.
Antivirus software protects against malware, identifies it, quarantines it, and removes it.

Question 49

which device provides web content filtering and URL scanning?

Answer 49

Web proxy.
A web proxy filters internet content and performs security checks on sites visited, files downloaded, etc.

Question 50

is a server or device that is configured to look very authentic, potentially containing data that appears to be legitimate user data, or configuration files that seem authentic

Answer 50

honeypot
also known as a “tar pit” because it is intended to attract or distract would-be attackers from the actual targets on the network. The goal of the honeypot is to provide a false positive for hackers, whereby the attacker breaches the honeypot and believes the data it contains is the target’s actual data.

Question 51

similar to a honeypot in that it contains data that is fictitious; however, the server is also designed to slow down the attacker so that tracing information can be obtained by the intrusion detection system (IDS).

Answer 51

tar pit

Question 52

you will use multiple tools and methods together in an overlapping manner to create rings or layers of security. If one component is compromised, there should be at least one other obstacle to overcome before the attacker gains access to the system.

Answer 52

in-depth defense approach to network security
you will mix different methods of defense, such as using an application-aware firewall on the perimeter and then relying on an intrusion prevention system (IPS) within the network and firewall and anti-malware software on the servers.

Question 53

plan should first help contain the damage from the attack, which may involve quarantining computers or severing network connections, and then work to remove the threat and clean up the damage.

Answer 53

response plan
be sure to develop and test your containment plans before an attack occurs