Network Security Fundamentals and Concepts Flashcards
The CIA triad is a foundational concept in information security that encompasses three critical principles governing the protection of data and systems. Confidentiality ensures that sensitive information is disclosed only to authorized entities, preventing unauthorized access or disclosure. Integrity focuses on maintaining the accuracy and trustworthiness of data by preventing unauthorized alterations or tampering. Availability ensures that information and resources are accessible and usable by authorized users when needed, safeguarding against disruptions or downtime.
CIA Triad
Confidentiality is a key aspect of information security that involves preventing unauthorized access to sensitive or private data. It ensures that only individuals with the proper authorization can view or access specific information, protecting it from disclosure to unauthorized parties. Confidentiality measures may include encryption, access controls, and secure communication channels, all working together to maintain the privacy and confidentiality of sensitive data.
Confidentiality
Integrity in the context of information security refers to the accuracy, consistency, and trustworthiness of data. It involves protecting data from unauthorized modifications, deletions, or alterations, ensuring that information remains reliable and uncorrupted. Integrity measures include checksums, digital signatures, and access controls that prevent unauthorized users from tampering with or compromising the accuracy of data.
Integrity
Availability is a fundamental principle of the CIA triad that focuses on ensuring timely and reliable access to information and resources. It involves implementing measures to prevent disruptions, downtime, or unauthorized denial of service. Availability measures include redundancy, fault tolerance, and disaster recovery planning, all aimed at ensuring that authorized users can access the necessary resources without interruption.
Availability
Security principles are foundational guidelines that inform the design and implementation of effective security measures. These principles include the Principle of Least Privilege, Defense in Depth, Separation of Duties, and Accounting/Auditing. Each principle plays a crucial role in creating a robust and comprehensive security framework that addresses different aspects of potential threats and vulnerabilities.
Security Principles
Data in Rest refers to information that is stored on a physical or electronic medium but is not actively being used or transmitted. It requires protection from unauthorized access during storage to maintain confidentiality.
Data in Rest
The Principle of Least Privilege is a security concept that advocates granting individuals or systems the minimum level of access or permissions necessary to perform their tasks. By restricting access rights to the essential minimum, this principle minimizes the potential damage that could result from accidental mishandling or intentional misuse of privileges. It reduces the attack surface and helps prevent unauthorized access or abuse of sensitive information, enhancing overall security posture.
Principle of Least Privilege
Defense in Depth is a security strategy that involves the implementation of multiple layers of security measures to protect systems and data. Instead of relying on a single security mechanism, this approach incorporates a combination of physical, technical, and procedural controls at different levels of an information system. The goal is to create a more resilient and robust defense against various types of threats, ensuring that even if one layer is breached, others remain intact to mitigate the risk and prevent unauthorized access or compromise.
Defense in Depth
Separation of Duties is a security principle that aims to prevent conflicts of interest and reduce the risk of fraudulent activities by distributing tasks and responsibilities among multiple individuals. The concept ensures that no single person has complete control over a critical process, especially when it involves sensitive or high-risk activities. By dividing responsibilities, organizations can create a system of checks and balances, enhancing accountability and reducing the likelihood of unauthorized access or misuse of privileged information.
Separation of Duties
Accounting and auditing are essential components of information security that involve monitoring and recording system activities to detect and investigate security incidents. Accounting focuses on tracking the use of resources and the actions of users within a system, generating logs or records for analysis.
Accounting
Auditing involves the systematic examination of these records to assess the effectiveness of security controls, identify anomalies or potential security breaches, and ensure compliance with security policies and regulations. Together, accounting and auditing contribute to the overall security posture by providing visibility into system activities and potential risks.
Auditing
In the realm of information security, assets refer to any valuable resource or component within an organization that requires protection. These assets can include physical assets like hardware and facilities, intellectual assets such as software and proprietary information, and human assets like employees and their skills. Identifying and classifying assets is crucial for implementing effective security measures, as it allows organizations to prioritize their protection efforts based on the criticality and sensitivity of each asset.
Assets
Threats are potential dangers that can exploit vulnerabilities in a system, leading to security breaches and compromises. These threats can be intentional, such as malicious attacks by hackers or insiders, or unintentional, such as natural disasters or system failures. Understanding and categorizing threats is essential for developing robust security strategies and implementing appropriate countermeasures to mitigate the impact of potential risks.
Threats
Risk, in the context of information security, is the likelihood of a threat exploiting a vulnerability and the potential impact it could have on an organization. It is a combination of the probability of an event occurring and the severity of its consequences. Organizations assess and manage risks to make informed decisions about implementing security controls and allocating resources to protect against potential threats. Effective risk management involves identifying, analyzing, and prioritizing risks to minimize their impact on business operations and information assets.
Risk
A vulnerability is a weakness or flaw in a system’s design, implementation, or configuration that could be exploited by a threat to compromise the system’s security. Vulnerabilities can exist in software, hardware, processes, or even human behavior. Identifying and patching vulnerabilities is a crucial aspect of maintaining a secure information environment, as attackers often target these weaknesses to gain unauthorized access or cause disruption.
Vulnerability
Risk management is the systematic process of identifying, assessing, prioritizing, and mitigating risks to an organization’s information assets. It involves implementing strategies and measures to minimize the impact of potential threats and vulnerabilities. Risk management considers the organization’s risk tolerance, business objectives, and available resources to develop a proactive and adaptive approach to security. The goal is to strike a balance between the benefits of innovation and the potential risks associated with the organization’s operations.
Risk Management
Asset classifications involve categorizing information and resources based on their importance, sensitivity, and criticality to the organization. This classification helps in applying appropriate security measures, allocating resources effectively, and prioritizing protection efforts based on the value and risk associated with each asset. Common asset classifications include public, internal use, confidential, and restricted, each with its corresponding level of security controls.
Asset Classifications
Security threats encompass potential dangers to information systems and data. These threats can arise from various sources, including human actions, natural disasters, or technical malfunctions. Understanding the types of security threats, such as unauthorized access, malware, or social engineering, is essential for developing comprehensive security strategies and implementing the necessary measures to protect against potential risks.
Security Threats
Attackers are individuals or entities who intentionally exploit vulnerabilities to compromise the security of information systems. Different types of attackers pose varying levels of threat, each with distinct motives and methods. Hacker is a broad term for individuals skilled in computer programming and security, often categorized as ethical or malicious hackers. Criminals engage in cybercrime for financial gain, while terrorists may use cyber attacks for political motives. Disgruntled employees, competitors, and other threat actors contribute to a diverse landscape of attackers, each requiring tailored security measures for effective defense. Understanding the motivations and characteristics of different attacker types is crucial for developing targeted and resilient security strategies.
Attackers Types
Data in Transit, on the other hand, pertains to the movement of data between systems over a network. Security measures for data in transit involve encryption and secure communication protocols to safeguard the information as it traverses the network.
Data in Transit
Hackers are individuals with advanced computer skills who use their expertise to explore, analyze, and manipulate computer systems. The term “hacker” has evolved to include both ethical hackers, who use their skills to strengthen security, and malicious hackers, who exploit vulnerabilities for various purposes. Ethical hackers, often known as white-hat hackers, contribute to cybersecurity by identifying and fixing weaknesses in systems, while malicious hackers, or black-hat hackers, engage in unauthorized activities such as stealing data, spreading malware, or disrupting services.
Hackers
Criminals in the context of cybersecurity refer to individuals or groups who engage in illegal activities for financial gain or other malicious purposes. These activities may include cybercrime such as identity theft, fraud, ransomware attacks, and other forms of online criminal behavior. Cybercriminals exploit vulnerabilities in computer systems to compromise security and commit crimes that can result in financial losses, privacy breaches, and reputational damage for individuals and organizations.
Criminals
Terrorists, in the realm of cybersecurity, are individuals or groups who use digital means to achieve political, ideological, or social goals. Cyberterrorism involves the use of technology to launch attacks that disrupt critical infrastructure, compromise national security, or spread fear and chaos. Cyberterrorists may employ various techniques, including hacking, distributed denial-of-service (DDoS) attacks, and information warfare, to achieve their objectives and create widespread impact.
Terrorists
Disgruntled employees are individuals within an organization who, due to dissatisfaction or negative feelings, may pose a threat to the organization’s cybersecurity. These individuals may intentionally misuse their access privileges to steal sensitive information, disrupt operations, or engage in other malicious activities. Managing employee dissatisfaction, implementing proper access controls, and monitoring user activities are essential measures to mitigate the risks associated with disgruntled employees.
Disgruntled Employees
Competitors, in the context of cybersecurity, are individuals or entities seeking to gain a competitive advantage by compromising the security of rival organizations. Corporate espionage, intellectual property theft, and other cyber activities may be employed to obtain confidential information, trade secrets, or proprietary technologies. Organizations need robust cybersecurity measures to protect against such threats and safeguard their valuable assets from unauthorized access and exploitation by competitors.
Competitors
A common attack method refers to a widely used technique employed by threat actors to compromise the security of computer systems. These methods are often tried-and-tested approaches that take advantage of vulnerabilities or weaknesses in software, networks, or human behavior. Understanding common attack methods is crucial for developing effective cybersecurity strategies and implementing preventive measures. Examples include phishing, malware attacks, and social engineering.
Common Attack Method
Reconnaissance, in the context of cybersecurity, is the initial phase of a cyber attack where threat actors gather information about a target system. This involves collecting data on network architecture, system configurations, and potential vulnerabilities. Reconnaissance may be passive, involving the analysis of publicly available information, or active, where attackers engage with the target system to identify weaknesses. Effective defense against cyber threats often includes measures to detect and thwart reconnaissance activities.
Reconnaissance
Social engineering is a psychological manipulation technique used by cyber attackers to deceive individuals into divulging sensitive information, providing access to systems, or performing actions that may compromise security. This method exploits human psychology rather than technical vulnerabilities, relying on trust and social interactions. Examples include phishing emails, pretexting, and impersonation. Education and awareness programs are essential for organizations to mitigate the risks associated with social engineering attacks.
Social Engineering
Privilege escalation is a cybersecurity attack where an unauthorized user gains higher-level access or permissions than originally granted. This involves exploiting vulnerabilities or weaknesses in a system to elevate privileges and access sensitive information or perform unauthorized actions. Preventing privilege escalation is crucial for maintaining the security of systems and networks. Security measures include implementing the principle of least privilege, regularly updating and patching systems, and monitoring for unusual or unauthorized activities.
Privilege Escalation
Code execution is a type of cyber attack where an attacker exploits vulnerabilities in a system to run arbitrary code. This can lead to unauthorized access, data manipulation, or the execution of malicious software on the targeted system. Code execution vulnerabilities are often found in software applications, and attackers may leverage techniques such as buffer overflows or injection attacks to execute their code. Mitigating code execution risks involves implementing secure coding practices, regularly updating software, and employing intrusion detection systems to identify and respond to potential threats.
Code Execution
Backdoors are concealed entry points in software, applications, or systems intentionally created by developers or malicious actors. These hidden pathways allow unauthorized access to a system, bypassing normal authentication processes. While legitimate backdoors may be included for debugging or maintenance purposes, malicious backdoors are often exploited by attackers to gain illicit access, control compromised systems, or facilitate further attacks without detection.
Backdoors
Covert channels are communication channels that enable unauthorized and surreptitious exchange of information in a way that avoids detection by traditional security mechanisms. These channels exploit unintended paths in a system, such as unused or obscure protocols, to transmit data between entities without raising alarms. Covert channels can be challenging to detect, and their presence poses a risk to the confidentiality and integrity of sensitive information within a network.
Covert Channels
Trust exploitation is a strategy employed by attackers to manipulate the trust established within a system or network. This can involve taking advantage of inherent trust relationships between entities or exploiting trust in a communication process. By infiltrating a trusted system or impersonating a trusted entity, attackers seek to gain unauthorized access, extract sensitive information, or carry out malicious activities while remaining undetected.
Trust Exploitation
A Man-in-the-Middle (MitM) attack occurs when a malicious actor intercepts and potentially alters the communication between two parties without their knowledge. The attacker positions themselves between the communicating entities, allowing them to eavesdrop on sensitive information or manipulate the communication. MitM attacks can take various forms, such as intercepting unencrypted data, injecting malicious content, or impersonating one of the parties involved, compromising the confidentiality and integrity of the communication.
Man-in-the-Middle Attack
A Denial of Service (DoS) attack aims to disrupt the availability of a service, system, or network by overwhelming it with excessive traffic, requests, or malicious activities. The objective is to render the targeted resource inaccessible to its intended users. DoS attacks can exploit vulnerabilities in network infrastructure or flood a system with traffic, causing it to become unresponsive. Mitigating DoS attacks involves implementing traffic filtering, rate limiting, and other preventive measures to maintain service availability.
Denial of Service Attack
A Distributed Denial of Service (DDoS) attack is an amplified form of a DoS attack where multiple compromised computers, known as a botnet, are coordinated to flood a target system with overwhelming traffic. The distributed nature of the attack makes it more challenging to mitigate, as it comes from multiple sources. DDoS attacks aim to exhaust the target’s resources, causing disruption and rendering the service unavailable to legitimate users.
Distributed Denial of Service Attack
A Brute Force attack is a method where an attacker systematically tries all possible combinations of usernames, passwords, or encryption keys to gain unauthorized access to a system. This attack relies on the computational power and persistence of the attacker to find the correct combination. To mitigate Brute Force attacks, security measures such as account lockout policies, CAPTCHA mechanisms, and multi-factor authentication are commonly employed.
Brute Force Attack
Intrusion sensors are devices or systems designed to detect and respond to unauthorized activities within a network or system. These sensors are crucial components of intrusion detection and prevention systems, continuously monitoring for signs of suspicious behavior, unauthorized access attempts, or potential security incidents. Intrusion sensors contribute to early threat detection, allowing organizations to respond promptly to security breaches and mitigate the impact of malicious activities.
Intrusion Sensors
An Intrusion Detection System (IDS) is a security tool that monitors and analyzes network or system activities for signs of unauthorized access, misuse, or security policy violations. IDS can be host-based or network-based, and it works by comparing observed patterns against predefined signatures or behavior profiles. When suspicious activity is detected, the IDS generates alerts or notifications, enabling security personnel to investigate and respond to potential security incidents.
Intrusion Detection System
An Intrusion Prevention System (IPS) is a security solution that goes beyond the capabilities of an IDS by actively blocking or preventing detected malicious activities. IPS can automatically respond to security threats by implementing predefined security policies, blocking malicious traffic, or reconfiguring network settings to neutralize the threat. IPS complements intrusion detection by providing a proactive defense mechanism, enhancing an organization’s ability to prevent and mitigate potential security breaches.
Intrusion Prevention System
Sensors deployment mode refers to the manner in which intrusion sensors are implemented within a network or system. There are two primary modes: promiscuous/passive and inline. In the promiscuous/passive mode, sensors monitor network traffic without actively participating in the flow, allowing for non-intrusive analysis. In contrast, the inline mode involves sensors being directly integrated into the network flow, actively inspecting and potentially blocking suspicious traffic in real-time.
Sensors Deployment Mode
Promiscuous or passive mode is a deployment setting for intrusion sensors where the sensors observe network traffic without actively participating in the data flow. In this mode, sensors analyze packets for signs of malicious activity or policy violations without modifying or interrupting the network traffic. Promiscuous sensors are particularly useful for monitoring and detecting security incidents in a non-intrusive manner, allowing security personnel to analyze and respond to potential threats without affecting the normal operation of the network.
Promiscuous/Passive
Inline is a deployment mode for intrusion sensors where the sensors actively participate in the network flow, inspecting and potentially blocking traffic in real-time. In this mode, the sensors are inserted directly into the communication path, allowing them to take immediate action when suspicious activity is detected. Inline sensors provide a proactive defense mechanism, allowing for the prevention of security incidents by actively blocking malicious traffic or enforcing security policies as part of the normal network flow.
Inline
Network-based sensors are intrusion sensors that monitor and analyze network traffic to identify potential security threats. These sensors focus on the communication between devices within the network, detecting anomalies, and analyzing packet content for known attack signatures. Network-based sensors are positioned strategically within the network infrastructure to provide comprehensive coverage and early detection of potential security incidents.
Network-Based Sensors
Host-based sensors are intrusion sensors that operate at the individual device or host level, monitoring activities on a specific system. These sensors analyze events and behaviors on the host, such as file access, process execution, and system calls, to detect signs of unauthorized or malicious activity. Host-based sensors provide a more granular view of security incidents and are effective in identifying threats that may originate from within the host itself.
Host-Based Sensors
Attack detection strategies refer to the various approaches and techniques employed by intrusion detection and prevention systems to identify and respond to potential security threats. Common strategies include signatures, anomaly detection, policy-based detection, and reputation-based detection, each offering a unique perspective on security event identification.
Attack Detection Strategies
Signature-based detection relies on predefined patterns or signatures of known malicious activities. These signatures are derived from characteristics unique to specific types of attacks. When network or host-based sensors identify patterns matching these signatures in observed traffic or activities, they generate alerts or take preventive actions, effectively recognizing and responding to known threats.
Signatures
Anomaly detection is a strategy that focuses on identifying deviations from established baseline behaviors. This method involves creating profiles of normal system or network behavior and generating alerts when activities significantly deviate from these norms. Anomaly detection is particularly effective at identifying previously unknown or emerging threats that may not have established signatures.
Anomaly Detection
Policy-based detection involves defining and enforcing security policies that align with an organization’s security objectives. Policies specify the acceptable behavior within a network or system, and intrusion sensors actively monitor for deviations from these policies. When violations occur, alerts are generated, and preventive measures may be implemented to ensure adherence to the established security policies.
Policy-Based
