Security Flashcards
How do you implement Malware Prevention
Do the following:
• Install anti-malware on all systems to search for malware, viruses, worms, trojans, and rootkits.
• Enable automatic definition updates on your anti-malware software.
• Configure frequent quick malware scans along with less frequent full system scans.
• Implement anti-spam measures. This can be done using anti-spam software on each individual workstation. However, it’s usually advantageous to implement an anti-spam appliance that filters email messages for your entire organization.
How do you Implement Browser Security?
Do the following:
• Disable pop-ups on all web browsers. Pop-ups can covertly install malware or redirect users to malicious websites. Enable pop-ups only for legitimate sites that require them.
• Override automatic cookie handling. Configure your browser to prompt you before allowing cookies.
• Disable third-party browser extensions.
• Disable sounds in web pages.
Spam
Spam may or may not be malicious in nature. However, it wastes time, network bandwidth, and storage space as many organizations are required by law in the United States to retain all email communications for a period of time.
The best way to combat spam is to implement an anti-spam appliance that is placed between your network and the internet. The appliance scans all emails as they enter the organization and quarantines anything deemed to be spam.
Phishing Emails
Phishing is the process used by attackers to acquire sensitive information such as passwords, credit card numbers, and usernames by masquerading as a trustworthy entity. Phishing emails are drafted such that they appear to have come from a legitimate organization, such as banking, social media, or e-commerce websites. They convince the user to click a link that takes them to a malicious website (that looks exactly like the legitimate website) where they are tricked into revealing sensitive information.
To detect phishing email, train users to recognize their key characteristics:
• The source address of the message may not match the domain of the company it claims to be coming from.
• The message tries to create a sense of urgency. For example, it may warn that your bank account will be frozen, that your credit card has been stolen, or that you will be subject to arrest if you don’t follow the instructions in the message.
• The hyperlinks in the message go to websites that are not associated with the organization the message claims to be coming from. If you hover your mouse over a link (without clicking it) you can see where the link actually leads. If it isn’t pointing to the organization’s URL, there’s a pretty good chance the message is an exploit.
Hijacked Emails
To hijack an email account, attackers use password hints set up by the user to try to gain access to the user’s email account. Users should not use personal information such as their birthplace or mother’s maiden name. This information is relatively easy to obtain using social media. Once an account has been hijacked, the attacker can use it to propagate spam or malware to every contact in the user’s address book.
Pharming
Pharming redirects one website’s traffic to another, bogus, website that is designed to look like the real website. Once there, the attacker tricks the user into supplying personal information, such as bank account and PIN numbers. Pharming works by resolving legitimate URLs to the IP address of malicious websites. This is typically done using one of the following techniques:
• Changing the hosts file on a user’s computer
• Poisoning a DNS server
• Exploiting DHCP servers to deliver the IP address of malicious DNS servers in DHCP leases.
Rogue Antivirus
Rogue antivirus exploits usually employ a pop-up in a browser that tells the user the computer is infected with a virus and that the user must click a link to clean it. Sometimes this exploit is used to trick users into paying for worthless software they don’t need. However, it also is frequently used to deploy malware on the victim’s computer.
Cookies
Cookies are data files placed on a client system by a web server for retrieval at a later time. Cookies are primarily used to track the client. By default, cookies can be retrieved only by the server that set them. The cookies themselves are fairly benign; however, cookies can be exploited by an attacker to steal a client’s session parameters. This allows the attacker to impersonate the client system and hijack the session, potentially exposing sensitive information.
Browser History
The browser history and its cache contain information that an attacker can exploit. If an attacker can gain access to the cache or the browser history, they can learn things about the user such as:
• The email service they use
• The bank where they keep their accounts
• Where they shop
An attacker can exploit this information to conduct other attacks, such as stealing cookies or sending phishing emails.
What are the symptoms of a malware infection?
- Slow computer performance
- Internet connectivity issues
- Operating system lock ups
- Windows update failures
- Renamed system files
- Disappearing files
- Changed file permissions
- Access denied errors
What are the best practices you should follow before removing the malware?
- Identify the malware symptoms.
- Quarantine the infected system.
- Disable system restore to prevent the malware from being saved in a restore point (and to prevent an uninfected restore point from being potentially deleted to make room for a new restore point).
- Remediate the infected system.
- Update the anti-malware definitions.
- Scan for and remove the malware. Some malware can be removed while the system is running normally. However, some malware can be removed only while in Safe Mode or in the Pre-Installation Environment.
- Schedule future scans and updates.
- Re-enable system restore and create a new restore point.
- Educate users to prevent the infection from happening again.
Man-in-the-Middle
A man-in-the-middle attack is used to intercept information passing between two communication partners. With a man-in-the-middle attack:
• An attacker inserts himself in the communication flow between the client and server. The client is fooled into authenticating to the attacker.
• Both parties at the endpoints believe they are communicating directly with each other, while the attacker intercepts and/or modifies the data in transit. The attacker can then authenticate to the server using the intercepted credentials.
Man-in-the-middle attacks are commonly used to steal credit card numbers, online bank credentials, as well as confidential personal and business information.
TCP/IP (session) Hijacking
TCP/IP hijacking is an extension of a man-in-the-middle attack where the attacker steals an open and active communication session from a legitimate user.
• The attacker takes over the session and cuts off the original source device.
• The TCP/IP session state is manipulated so that the attacker is able to insert alternate packets into the communication stream.
HTTP (session) Hijacking
HTTP (session) hijacking is a real-time attack in which the attacker hijacks a legitimate user’s cookies and uses the cookies to take over the HTTP session.
Replay Attack
In a replay attack, the attacker uses a protocol analyzer or sniffer to capture authentication information going from the client to the server. The attacker then uses this information to connect at a later time and pretend to be the client.
Phishing
A phishing scam employs an email pretending to be from a trusted organization, asking to verify personal information or send a credit card number. In a phishing attack:
• A fraudulent message (that appears to be legitimate) is sent to a victim.
• The message requests that the target visit a fraudulent website (which also appears to be legitimate). Graphics, links, and websites look almost identical to legitimate websites they are trying to imitate.
• The fraudulent website requests that the victim provide sensitive information, such as an account username and password.
What are some common phishing scams?
- A Rock Phish kit uses a fake website that imitates a real website (such as banks, PayPal®, eBay®, or Amazon®). Phishing emails direct victims to the fake website where they enter account information. A single server can host multiple fake sites using multiple registered DNS names. These sites can be set up and taken down rapidly to avoid detection.
- A Nigerian scam, also known as a 419 scam, involves email which requests a small amount of money to help transfer funds from a foreign country. For their assistance, the victim is promised a reward for a much larger amount of money that will be sent at a later date.
- In spear phishing, attackers gather information about the victim, such as identifying which online banks they use. They then send phishing emails for the specific bank that the victim uses.
- Whaling is another form of phishing that is targeted to senior executives and high profile victims.
- Vishing is similar to phishing but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing.
How can you protect against phishing?
- Check the actual link destination within emails to verify that they go to the correct URL and not a spoofed one.
- Do not click on links in emails. Instead, type the real bank URL into the browser.
- Verify that HTTPS is used when going to e-commerce sites. HTTPS requires a certificate that matches the server name in the URL that is verified by a trusted CA. You can also look for the lock icon to verify that HTTPS is used. If the website is using an invalid certificate, then an invalid SSL certificate warning appears when you try to access the website.
- Implement phishing protections within your browser.
Zombie
A zombie is a computer that is infected with malware that allows remote software updates and control by a command and control center called a zombie master. A zombie:
• Is also known as a bot (short for robot).
• Is frequently used to aid spammers.
• Can commit click fraud. The internet uses an advertising model called pay per click (PPC). With PPC, ads are embedded on a website by the developer. The advertiser then pays the website owner for each click the ad generates. Zombie computers can imitate a legitimate ad click, generating fraudulent revenue.
• Can be used to perform denial of service attacks.
Botnet
A botnet refers to a group of zombie computers that are commanded from a central control infrastructure. A botnet is:
• Under a command and control infrastructure where the zombie master (also known as the bot herder) can send remote commands to order all the bots they control to perform actions.
• Capable of performing distributed denial of service attacks.
• Detected through the use of firewall logs to determine if a computer is acting as a zombie and participating in external attacks.
Zero Day
A zero day attack (also known as a zero hour or day zero attack) is an attack that exploits computer application vulnerabilities before they are known and patched by the application’s developer.
Spoofing
Spoofing is used to hide the true source of packets or to redirect traffic to another location. Spoofing attacks:
• Use modified source and/or destination addresses in packets
• Can include site spoofing that tricks users into revealing information
Network attacks may also falsify source or destination addresses for network communications. This is called spoofing.
What are common methods of spoofing?
IP Spoofing; MAC Spoofing; ARP Spoofing
IP Spoofing
IP spoofing changes the IP address information within a packet. It can be used to:
• Hide the origin of the attack by spoofing the source address.
• Amplify attacks by sending a message to a broadcast address and then redirecting responses to a victim who is overwhelmed with responses.
MAC Spoofing
MAC spoofing occurs when an attacking device spoofs the MAC address of a valid host currently in the MAC address table of the switch. The switch then forwards frames destined for that valid host to the attacking device. This can be used to bypass:
• A wireless AP with MAC filtering on a wireless network
• Router ACLs
• 802.1x port-based security
ARP Spoofing
ARP spoofing (also known as ARP poisoning) uses spoofed ARP messages to associate a different MAC address with an IP address. ARP spoofing can be used to perform a man-in-the-middle attack as follows: 1. When an ARP request is sent by a client for the MAC address of a device, such as the default gateway router, the attacker's system responds to the ARP request with its own MAC address. 2. The client receives the spoofed ARP response and uses that MAC address when communicating with the destination host. For example, packets sent to the default gateway are sent instead to the attacker. 3. The attacker receives all traffic sent to the destination host. The attacker can then forward these packets on to the correct destination using its own MAC address as the source address. ARP spoofing can also be used to perform Denial of Service (DoS) attacks by redirecting communications to fake or nonexistent MAC addresses.
Countermeasures to spoofing use:
- Firewall and router filters to prevent spoofed packets from crossing into or out of your private secured network. Filters will drop any packet suspected of being spoofed.
- Certificates to prove identity
- Reverse DNS lookup to verify the source email address
- SecureDNS to identify emails with malicious domains. SecureDNS will redirect the user to a safe landing page or send the bad traffic to a sinkhole.
- Encrypted communication protocols, such as IPsec
- Ingress and egress filters to examine packets and identify spoofed packets. Ingress filters examine packets coming into the network, while egress filters examine packets going out of the network. Any packet suspected of being spoofed on its way into or out of your network will be dropped.
VPN
A virtual private network (VPN) is a type of network that uses encryption to allow IP traffic to travel securely over the TCP/IP network. A VPN is used primarily to support secure communications over an untrusted network.
• VPNs work by using a tunneling protocol that encrypts packet contents and wraps them in an unencrypted packet.
• Tunnel endpoints are devices that can encrypt and decrypt packets. When you create a VPN, you establish a security association between the two tunnel endpoints. The endpoints create a secure, virtual communication channel. Only the destination tunnel endpoint can unwrap packets and decrypt the packet contents.
• Routers use the unencrypted packet headers to deliver the packet to the destination device. Intermediate routers along the path cannot read the encrypted packet contents.
• A VPN can be used over a local area network, across a WAN connection, over the internet, and even over a dial-up connection.
Ports must be open in firewalls to allow VPN protocols. For this reason, using SSL for the VPN often works through firewalls when other solutions do not. Additionally, some NAT solutions do not work well with VPN connections.
How are VPNs implemented?
• VPNs can be implemented in the following ways:
o With a host-to-host VPN, two hosts establish a secure channel and communicate directly. With this configuration, both devices must be capable of creating the VPN connection.
o With a site-to-site VPN, routers on the edge of each site establish a VPN with the router at the other location. Data from hosts within the site are encrypted before being sent to the other site. With this configuration, individual hosts are unaware of the VPN.
o With a remote access VPN, a server on the edge of a network (called a VPN concentrator) is configured to accept VPN connections from individual hosts in a client-to-site configuration. Hosts that are allowed to connect using the VPN connection are granted access to resources on the VPN server or the private network.
Point-to-Point Tunneling Protocol (PPTP)
PPTP was developed by Microsoft as one of the first VPN protocols. PPTP:
• Uses standard authentication protocols, such as CHAP and PAP
• Supports TCP/IP only
• Is supported by most operating systems and servers
• Uses TCP port 1723
Layer Two Tunneling Protocol (L2TP)
L2TP is an open standard for secure multiprotocol routing. L2TP:
• Supports multiple protocols (not just IP)
• Uses IPsec for encryption
• Is not supported by older operating systems
• Uses TCP port 1701 and UDP port 500
Internet Protocol Security (IPsec)
IPsec provides authentication and encryption, and it can be used in conjunction with L2TP or by itself as a VPN solution. IPsec includes the following three protocols for authentication, data encryption, and connection negotiation:
• Authentication Header (AH) enables authentication with IPsec.
• Encapsulating Security Payload (ESP) provides data encryption.
• Internet Key Exchange (IKE) negotiates the connection.
IPsec can be used to secure the following types of communications:
• Host-to-host communications within a LAN
• VPN communications through the internet, either by itself or in conjunction with the L2TP VPN protocol
• Any traffic supported by the IP protocol, including web, email, Telnet, file transfer, SNMP traffic, as well as countless others
IPsec uses either digital certificates or pre-shared keys
Secure Sockets Layer (SSL)
The SSL protocol has long been used to secure traffic generated by IP protocols such as HTTP, FTP, and email. SSL can also be used as a VPN solution, typically in a remote access scenario. SSL:
• Authenticates the server to the client using public key cryptography and digital certificates
• Encrypts the entire communication session
• Uses port 443, which is already open on most firewalls
Implementations that use SSL for VPN tunneling include Microsoft’s SSTP and Cisco’s SSL VPN.
Generic Routing Encapsulation (GRE)
GRE is a tunneling protocol that was developed by Cisco. GRE can be used to route any Layer 3 protocol across an IP network. GRE:
• Creates a tunnel between two routers.
• Encapsulates packets by adding a GRE header and a new IP header to the original packet.
• Does not offer any type of encryption.
• Can be paired with other protocols, such as IPsec or PPTP, to create a secure VPN connection.
What is a proxy server?
A proxy server is a device that stands as an intermediary between a host and the internet. A proxy server is a specific implementation of a firewall that uses filter rules to allow or deny internet traffic. With a proxy, every packet is stopped and inspected, which causes a break between the client and the server on the internet.
What can proxy servers be configured to do?
- Control internet access based on user account and time of day.
- Prevent users from accessing certain websites. For example, proxy servers used in schools or at home protect children from viewing inappropriate sites.
- Restrict users from using certain protocols. For example, a proxy server at work might prevent instant messaging, online games, or streaming media.
- Cache heavily accessed web content to improve performance.
What should you be aware of when using proxy servers?
- Configure a proxy server as a firewall device between the private network and the internet to control internet access based on user account.
- You can use a third-party service that uses proxy servers at your ISP or on the internet for content filtering.
- When using a proxy server, all traffic must be sent to the proxy server first before being forwarded to the destination device. This redirection is typically done by configuring the client to use the proxy server.
- Content filtering solutions reconfigure the client such that the redirection is done automatically and cannot be bypassed.
- Internet Explorer automatically detects and uses a proxy server if one is on the network. If the proxy server is not detected, use Internet Options to identify the proxy server IP address and port number.
What are network appliances?
Network appliances are devices that are dedicated to providing certain network services. Common network appliances include: • Switches • Wireless access points • Routers • Firewalls • Security threat management devices
How do network appliances differ from common network hosts?
These devices are unlike common network hosts in that they don’t typically provide monitor, keyboard, or mouse connections. Instead, they are designed to be plugged directly into the network and then managed using a web-based interface from the system administrator’s workstation.
Security functions implemented within an all-in-one security appliance may include components such as:
- An endpoint management server to keep track of various devices, while ensuring their software is secure
- A network switch to provide internal network connectivity between hosts
- A router to connect network segments together
- An ISP interface for connecting the local network to the internet
- A firewall to filter network traffic
- A syslog server to store event messages
- A spam filter to block unwanted emails
- A web content filter to prevent employees from visiting inappropriate websites
- A malware inspection engine to prevent malware from entering the network
- An intrusion detection system (IDS) or intrusion prevention system (IPS) to detect hackers trying to break into systems on the network
While they are less expensive, all-in-one appliances have several drawbacks that you should consider before implementing one:
- All-in-one appliances perform many tasks adequately. However, they usually can’t perform any one task extremely well. If high-performance is a concern, then using dedicated appliances might be more appropriate.
- All-in-one devices create a single point of failure. Because so many services are hosted by a single device, then all of the services are affected if that device goes down.
- All-in-one devices create a single attack vector that can be exploited by an attacker. Compromising the single device could potentially expose many aspects of the network.
Unified threat management (UTM) or unified security management (USM)
a network gateway defense solution for organizations. UTM is the evolution of the traditional firewall into an all-in-one device that can perform multiple security functions within one single system.
What is a firewall?
A firewall is a device or software running on a device that inspects network traffic and allows or blocks traffic based on a set of rules
Explain the 2 types of firewalls.
• A network-based firewall inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge of your private network that connects to the internet to protect against attacks from internet hosts. A network firewall is created using two (or more) interfaces on a network device: one interface connects to the private network, and the other interface connects to the external network.
• A host-based firewall inspects traffic received by a specific host.
A best practice is to implement both types of firewalls.
Firewalls use filtering rules, sometimes called access control lists (ACLs), to identify allowed and blocked traffic. A rule identifies characteristics of the traffic, such as:
- The interface the rule applies to
- The direction of traffic (inbound or outbound)
- Packet information such as the source or destination IP address or port number
- The action to take when the traffic matches the filter criteria
Windows includes a host-based firewall that you can configure to protect your system from attacks. Be aware of the following
- By default, the firewall allows all outgoing web traffic and responses but blocks all other traffic.
- You can configure exceptions to allow specific types of traffic through the firewall.
- When you turn on the firewall, you can block all incoming connections or allow exceptions. If all incoming connections are blocked, any defined exceptions are ignored.
Windows Firewall, you can configure two exception types. Explain them.
Program: Configuring an exception for a program automatically opens the ports required by the application only while the application is running. Be aware of the following:
o You can select from a list of known applications or browse to and select an unlisted application.
o You do not need to know the port number used; the firewall automatically identifies the ports used by the application when it starts.
o After the application is stopped, the required ports are closed.
Port: Configuring an exception for a specific port and protocol (either TCP or UDP) keeps that port open all the time. Be aware of the following:
o You must know both the port number and the protocol.
o Some services require multiple open ports, so you must identify all necessary ports and open them.
o Ports stay open until you remove the exception.
When you configure a network-based firewall, you identify the traffic type that is allowed both into and out of your private network. Keep the following in mind:
• Most SOHO routers and access points include a firewall to protect your private network.
• By default, most SOHO routers allow all traffic initiated on the private network to pass through the firewall. Responses to those outbound requests are typically also allowed. For example, a user browsing a website will receive the web pages back from the internet server.
• All traffic initiating from the external network is blocked by default.
• You can configure individual exceptions to allow or deny specific types of traffic. A best practice is to block all ports, then open only the necessary ports.
• Some firewalls support port triggering, which allows the firewall to dynamically open incoming ports based on outgoing traffic from a specific private IP address and port.
o On the firewall you identify a private IP address and port, then associate one or more public ports.
o When the router sees traffic sent from the private network from that host and port number, the corresponding incoming ports are opened.
o The incoming ports remain open as long as the outgoing ports show activity. When the outgoing traffic stops for a period of time, the incoming ports are automatically closed.
o Use port triggering to open incoming ports required for specific applications (such as online games).
• Some applications identify incoming ports dynamically once a session is established with the destination device. The ports that the application might use are typically within a certain range.
o For some applications, you can configure the application to use a specific port instead of a dynamic port. You can then open only that port in the firewall.
o If you are unable to configure the application, you will need to open the entire range of possible ports in the firewall.
o Use port triggering to dynamically open the ports when the application runs instead of permanently opening all required ports.
• Configure port forwarding to allow incoming traffic directed to a specific port to be allowed through the firewall and sent to a specific device on the private network.
o Inbound requests are directed to the public IP address on the router to the port number used by the service (such as port 80 for a Web server). The port number is often called the public port.
o Port forwarding associates the inbound port number with the IP address and port of a host on the private network. This port number is often called the private port.
o Incoming traffic sent to the public port is redirected to the private port.
Port number for File Transfer Protocol (FTP)
20 TCP
21 TCP
Port number for Secure Shell (SSH)
22 TCP and UDP
Port number for Telnet
23 TCP
