Network Security Concepts Flashcards
Reasons for Network Security
- Directly related to business continuity
- breaches disrupt e-commerce and cause loss of data
- breaches can result in lost revenue
5 Security terms in Risk Management
Asset Vulnerability Threat Risk Countermeasure
Traffic Light Protocol (TLP)
is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colors to indicate different degrees of sensitivity
(red, amber, green, white) = (dont share outside of group, dont share outside of organization, dont share outside of partnered organizations, share whenever you want)
Network Vulnerabilities can stem from:
Policy flaws, Design errors, protocol weaknesses, misconfiguration, software vulnerabilities, human factors, Malicious Software, Hardware Vulnerabilities, Physical access to network resources.
Common control methods that are used to implement countermeasures in network security:
Administrative: Written bolicies, procedures, guidelines and standards
Physical: Physical security for network equipment and servers.
Technical or Logical: Controls used to provide access to data in a manner that conforms to management policies. passwords, firewalls, intrusion prevention systems, access lists, VPN tunnels, etc.
3 network security objective categories (CIA triad)
Confidentiality
Integrity
Authentication
Confidentiality
Different methods of confidentiality are put in place to prevent sensitive information from reaching the wrong people, while making sure that only the right people can access it. (data at rest and data in motion)
Methods of implementing confidentiality:
- Data encryption
- User IDs and passwords
- two-factor authentication
- biometric verification
- security tokens
- key fobs
- soft tokens
Integrity
- involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle.
- all about data not being changed, and the steps that must be taken to ensure that data cannot be altered by unauthorized people.
- can include checksums or even cryptographics checksums for verification of integrity
Availability
-Availability is all about making sure that your data is always available with a minimum of downtime
Factors that pertain to availability
- maintaining all hardware
- maintaining a correctly functioning OS environment
- keep current with all necessary system upgrades
- adequate communication bandwidth and preventing the occurrence of bottlenecks
- redundancy
- railover
- RAID
- High-availability Clusters
Security Information Event Management (SIEM)
- is a technology used in enterprise organizations to provide real time reporting and long-term analysis of security events.
- evolved from Security Information management(SIM) and Security Event Management(SEM)
- can be implemented as software, integrated with Cisco Identity services engine (ise) or as a managed service
SIEM provides details on the source of suspicious activity, Including:
- User information (name, authentication status, location, authorization group, quarantine status)
- Device information (manufacturer, model, OS version, MAC address, network connection method, location)
- Posture information (device compliance with corporate security policy, antivirus version, OS patches, compliance with mobile device management policy)
Using the information provided by SIEM what questions can network security engineers answer??
- Who is associated with this event?
- is it an important user with access to intellectual property or sensitive information?
- is the user authorized to access that resource?
- does the user have access to other sensitive resources?
- what kind of device is being used?
- does this event represent a potential compliance issue?
Internet of Things (IoT) Privacy
- is about special considerations that are required to protect the information of individuals from exposure in the IoT environment
- in this environment almost any physical or logical entity or object can be given a unique identifier and the ability to communicate autonomously over the internet or a similar network
IoT Security
- is a special challenge because the IoT consists of so many internet-enabled devices other than computers which often go unpatched and are often configured with default or weak passwords
- these devices must be protected, or IoT could be used as a seperate attack vector or part of a thingbot
Attack Vector
- is a path or other means by which an attacker can gain access to a server, host, or network.
- can originate from inside or outside a network
- internal threats also have the potential to cause greater damage because they have direct access to the building and its devices
Campus Area Network (CAN)
is a computer network that links the buildings and consists of two or more local area networks within the limited geographical area
Securing Hosts:
End points are secured using various features including antivirus, anti-malware software, host intrusion protection system features, and 802.1X authentication features
Securing Layer 2 Switches:
Access layer switches are secured, and they connect user-facing ports to the network. Several different features can be implemented, such as port security, DHCP, snooping, and 802.1X user authentication.
Securing Layer 3 Switches:
Distribution layer switches are secured and provide dsecure redundant trunk connections to the layer 2 switches. Several different features can be implemented, such as: ACLs, DHCP Snooping, Dynamic ARP Inspection (DAI), and IP source guard
Mobile Device Management (MDM) Security:
- Industry term for the administration of mobile devices, such as smartphones, tablets, laptops and desktops
- MDM is usually implemented with the use of a third part product that has management features for particular vendors of mobile devices
Intrusion prevention System (IPS)
a Cisco intrusion prevention system device continuously monitors incoming and outgoing traffic for malicious activity. it logs information about the activity and attempts to block and report it.
AAA Server
an authentication, authorization, and accounting server authenticates users, authorizes what they are allowed to do, and tracks what they are doing. These can be a RADIUS server, or a TACACS+ server.
Firewall
A Cisco adaptive security appliance (asa) firewall performs stateful packet filtering to filter return traffic from outside network into the campus network
VPN
The border router is secured. it porotects data in motion that is flowing from the CAN to the ouside world by establishing Virtual Private Networks (VPNs). VPNs ensure data confidentiality and integrity from authenticated sources.
Small office/Home office Security (SOHO)
- Networks regardless of size need to be protected. attackers are interested in SOHO networks.
- SOHOs are typically protected using a consumer grade router such as a linksys home wireless router
Wireless Hosts Security
Wireless Hosts connect to the wireless network using Wireless Protected Access 2 (WPA2) data encryption technology. Hosts typically have antivirus and antimalware software installed.
Wide Area Network
- Wide area networks (WANs) span a wide geographical area, often over the public internet.
- organizations must ensure secure transport for the data in motion as it travels between sites
Mobile Worker
This is a teleworker that can use the Cisco anyconnect VPN client to establish a secure VPN connection to the main site ASA
SOHO site
This is a small branch site that connects to the corporate main site using a cisco wireless router. The wireless router can establish a permanent always-on VPN connection to the main site ASA
Alternatively the internal SOHO users could use the Cisco anyconnect VPN client to establish a secure VPN connection to the main site ASA
Regional Site
This is larger than a branch site and connects to the corporate main site using an ASA. The ASA can establish a permanent always-on VPN connection to the main site ASA
Branch Site
This site connects to the corporate main site using a hardened ISR. the ISR can establish a permanent always-on VPN connection to the main site ASA
Data Center Networks
Typically housed in an off-site facility to store sensitive or proprietary data. These sites are interconnected to corporate sites using VPN tech.
- data centers store vast quantities of sensitive business critical info; therefore, physical security is critical to its operation.
- phys security isn’t just preventing access but safety/protection: fire alarms, sprinklers, seismically-braced server racks, and redundant heating, ventilation, AC, and UPSs
Data Center Security 2 areas
Outside perimeter security: this can include on-premise guards, fences, gates, continuous video surveillance, and alarms.
Inside Perimeter Security: this can include video surveillance, electronic motion detectors, security traps, and biometric access and exit sensors
Mantraps
Various ways to implement a mantrap:
- all doors normally unlocked
- opening one door causes others to lock
- all doors normally unlocked
- unlocking one door prevents others from being
unlocked
- one door opened/other locked
- one at a time - controlled groups
- managed control through an areaNetwork Closet
- if you can touch a device you can gain access: this is why devices are locked away
- maximizes uptime and availability: secured and temperature and humidity controls
- control and auditing
Video Monitoring
CCTV (Closed Circuit Tlevision) - cen replace guards Camera properties are important - focal length - shorter = wider angle - depth of field - how much is in focus - illumination requirements - see in the dark Often use many different cameras -different purposes require different camera types
Door Access Controls
- lock and key
- deadbolt
- electronic/keyless
- token based: magnetic swipe or proximity reader
- biometric: hand, fingers, or retina
- multi-factor: smart card and pin
Clouds and Virtual Networks
- Cloud computing separates the application from the hardware, virtualization separates the OS from the hardware.
- the cloud network consists of physical and virtual servers which are commonly housed in data centers
Virtual Machines are prone to specific targeted attacks (3)
- Hyperjacking
- Instant on activation
- antivirus storms
Hyperjacking
An attacker could hijack a VM hypervisor (VM controlling software) and then use it as a launch point to attack other devices on the data center network.
Instant on Activation
When VM that has not been used for a period of time is brought online, it may have outdated security policies that deviate from the baseline security and can introduce security vulnerabilities.
Antivirus Storm
This happens when all VMs attempt to download antivirus data files at the same time
Bring Your Own Device (BYOD)
a trend that involves more and more people using not company provided computers to access enterprise information.
Critical functions of MDM on a BYOD network
- data encryption
- PIN Enforcement
- Data Wipe
- Data loss prevention (DLP)
- Jailbreak/root Detection
Hacker Meanings
- a clever programmer capable of developing new programs and coding changes to existing programs to make them more efficient
- a network professional that uses sophisticated programming skills to ensure that networks are not vulnerable to attack
- a person who tries to gain unauthorized access to devices on the internet
- individual;s who run programs to prevent or slow network access to a large number of users, or who corrupt or wipe out data on servers.
5 Modern Hacking Titles
- Hacktivists
- Script Kiddies
- Vulnerability Broker
- State Sponsored
- Cyber Criminals
Hacktivists
These are grey hat hackers who rally and protest against different political and social ideas. Hacktivists publicly protest against organizations or governments by posting articles, videos, leaking sensitive info, adn performing DDoS attacks
Cyber Criminals
These are black hat hackers who are either self-employed or working for large cybercrime organizations. Each year, cyber criminals are responsible for stealing billions of dollars from consumers and businesses.
State Sponsored
Depending on perspective are white or black hats. who steal government secrets, gather intelligence, and sabotage networks. Their targets are foreign governments, terrorist groups, and corporations. Most countries in the world participate in some degree of state-sponsored hacking.
Vulnerability Broker
These are usually grey hat hackers who attempt to discover exploits and report them to vendors, sometimes for prizes or rewards.
Script Kiddies
The term emerged in the 1990s to refer to teenagers or inexperienced hackers running existing scripts, tools, and exploits, to cause harm, but typically not for profit.
Penetration Testing Tools
- Ethical hacking involves many different types of tools to test and keep the network and its data secure
- Password crackers
- Wireless hacking tools
- Network scanning and hacking tools
- packet crafting tools
- packet sniffers
- rootkit detectors
- fuzzers to search vulnerabilities
Fuzzers
are tools used by hackers when attempting to discover a computer system’s security vulnerabilities:
ex: skipfish, wapiti, w3af
Rootkit Detectors
This is a directory and file integrity checker used by white hats to detect installed root kits
ex: AIDE, Netfilter, PF: OpenBSD Packet Filter
Packet Sniffers
These tools are used to capture and analyze packets within traditional ethernet LANs or WANs
ex: Wireshark, Tcpdump, Ettercap,Dsniff, EtherApe, Paros, Fiddler, Ratproxy, SSLstrip
Packet Crafting Tools
These tools are used to probe and test a firewall’s robustness using specially crafted forged packets
ex: Hping, Hping3, Scapy, Socat, Yersinia, Netcat, Nping, Nemesis
Network Scanning and Hacking Tools
Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP ports
ex: Nmap, SuperScan, Angry IP Scanner, NetScanTools
Wireless Hacking Tools
Wireless networks are more susceptible to network security threats.
Wireless hacking tools are used to intentionally hack into a wireless network to detect security vulnerabilities.
ex: Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, Netstumbler
Password Crackers
Passwords are the most vulnerable security threat. Password cracking tools are often referred to as password recovery tools and can be used to crack or recover the password.
This is accomplished either by removing the original password, after bypassing the data encryption, or by outright discovery of the password.
Password crackers repeatedly make guesses in order to crack the password and access the system.
EX: John the ripper, Ophcrack, L0phtcrack, THC Hydra, RainbowCrack, and Medusa
Forensic Tools
These tools are used by white hat hackers to sniff out any trace of evidence existing in a particular computer system.
EX: sleuth kit, Helix, Maltego, Encase
Debuggers
These tools are used by black hats to reverse engineer binary files when writing exploits.
They are also used by white hats when analyzing malware.
Debugging tools include:
-GDB
-WinDbg
-IDA Pro
-Immunity Debugger
Hacking Operating Systems
These are specially designed operating systems preloaded with tools and technologies optimized for hacking.
Ex: Kali Linux, SELinux, Knoppix, BackBox Linux
Encryption Tools
These tools safeguard the contents of an organization’s data at rest and data in motion.
Encryption tools use algorithm schemes to encode the data to prevent unauthorized access to the encrypted data.
EX: Veracrypt, Ciphershed, OpenSSH, OpenSSL, Tor, OpenVPN, Stunnel
Vulnerability Exploitation Tools
These tools identify whether a remote host is vulnerable to a security attack.
Ex: Metasploit, Core Impact, SQLmap, Social Engineer Toolkit, Netsparker
Vulnerability Scanners
These tools scan a network or system to identify open ports.
They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases
EX: Nipper, Secunia PSI, Core Impact, Nessus v6, SAINT, Open VAS
