Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Cybersecurity Exam Flashcards > Security Plus - Chapter 12 > Flashcards

Security Plus - Chapter 12 Flashcards

1
Q

Designing Secure Networks

A

The ability to implement key elements of design and architecture found in enterprise networks in order to properly secure them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Selection of Effective Controls

A

Key components in securing a network requires both an understanding of threats and the controls that can address them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Defense In Depth

A

Security that is built around multiple controls designed to ensure that a failure of a single control, or multiple controls, is unlikely to cause a security breach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Open Systems Interconnection (OSI) Model

A

Used to conceptually describe how devices and software operate together through networks. Sometimes used to create security zones using devices that separate networks at trust boundaries and will deploy protections appropriate to both the threats and security requirements of each zone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Attack Surface

A

Consists of the points at which an unauthorized user could gain access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

OSI Model

A

7 Application Layer —–> Human Computer Interaction
6 Presentation Layer —–> Format data, handles data encryption, compression
5 Session Layer —–> Authentication, sessions, permissions
4 Transport Layer —–> Transmission of data, error control
Ex. TCP, UDP
3 Network Layer —–> Physical path decisions, addressing, routing
Ex. IP, ICMP, IPSec
2 Data Link Layer —–> Data format for the network, error detection, flow control
Ex. Frames, Ethernet
1 Physical Layer —–> Sends electrical impulses, light, and radio waves
Ex. Cables, NICs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Infrastructure Considerations

A

How organizations design their infrastructure by impacting cost, manageability, functionality, and availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Device Placement

A

Devices may be placed to secure a specific zone or network segment, to allow them to access network traffic from a network segment, VLAN, or broader network, or may be placed due to capabilities like maximum throughout. Common placement options include at network borders, datacenter borders, and between network segments and VLANs, but devices may be placed to protect specific infrastructure or systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security Zones

A

Network segments, physical or virtual, or other components of an infrastructure that are able to be separate from less secure zones through logical or physical means.
Common examples:
- Guest networks
- Internet-facing networks - For hosting web servers
- Management VLANs - used for network device management of access to ports for switches, access points, routers and other devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Connectivity Considerations

A

Includes the below decisions:
- How the organization connects to the Internet
- Whether there is redundant connections
- How fast the connections are
- What are the security controls and what the upstream connectivity provider can make available
- What type of connectivity - fiber optic, copper, wireless or other
- If the connections paths are physically separated and using different providers so a single event will not cause a disruption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Failure Modes

A

How the organization wants to address a security device when a disruption causes it to fail.
- Fail-closed - This ends all traffic and communication and disrupts the function of business if not available.
- Fail-open - The device will fail but leaves the connection and communication still able to function. This continues operations, but there will not be any security controls in place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Network Design Concepts

A

Physical isolation
Logical segmentation
High availability
Implementing secure protocols
Reputation services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Physical Isolation

A

The idea of separating devices so that there is no connection between them.
- Air-gapped design

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Logical Segmentation

A

Using software or settings to separate networks or systems rather than a physical separation. Virtual local area networks (VLANs) are a common method of providing logical segmentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

High Availability

A

The ability of a service, system, network, or other element of infrastructure to be consistently available without downtime. Allows for the ability to perform upgrades, patching, system, or service failures without interruption of services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Implementing Secure Protocols

A

Common part of ensuring that communications and services are secure.
- HTTPS
- SSH instead of Telnet
- Wrapping other services using TLS
Protocol selection - Usually will default to automatically chooses the more secure protocol if it exists.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Reputation Services

A

Services and data feeds that track IP addresses, domains, and hosts that engage in malicious activity. They will monitor, or block potentially malicious actors and systems. Usually combined with threat feeds and log monitoring for better insight.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Software-Defined Networking

A

Designing a network relying on controllers that manage network devices and configurations with software-based controls. Allows for dynamic configuration of security zones to add systems based on authorization or to remove or isolate systems when they need to be quarantined.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Software-Defined Wide Area Network (SD-WAN)

A

A virtual wide area network design that can combine multiple connectivity services for organizations. Commonly used with Multiprotocol Label Switching (MPLS), 4G, 5G, and broadband networks. Provides high availability and allows networks to route traffic based on application requirements, while sending traffic to less expensive networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Secure Access Service Edge (SASE)

A

Combines virtual private networks, SD-WAN, and cloud-based security tools like firewalls. cloud access security brokers (CASB), and zero-trust networks to provide secure access for devices regardless of their location.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Network Segmentation

A

Dividing a network into logical or physical groupings that are frequently based on trust boundaries, functional requirements, or other reasons that help an organization apply controls or assist with functionality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Virtual Local Area Network (VLAN)

A

Sets up a broadcast domain that is segmented at the data link layer. Switches or other devices are used to separate the areas using VLAN tags, allowing different ports across multiple network devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Broadcast Domain

A

A segment of a network in which all of the devices or systems can reach one another via packets sent as broadcast at the data link layer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Network Design Concepts for Segmentation

A

Screened subnets - (DMZ, demilitarized zone) - Network zones that contain systems that are exposed to less trusted areas. Screened subnets are commonly used to contain web servers or other internet facing devices.

Intranets - Internal networks setup to provide information to employees or other members of an organization. They are typically protected from external access.

Extranets - Networks that are setup for external access, typically for partners or customers of an organization that provide products or services between each other. These networks are not usually available for access to the public at large.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Zero Trust

A

Presumes there is no trust boundary and no network edge. Each action is validated when requested as part of a continuous authentication process and access is only allowed after policies are checked, including elements like identity, permissions, system configuration, and security status, threat intelligence data reviews, and security posture.

25
Q

NIST Zero Trust

A

Subjects from an untrusted environment connects through a Policy Enforcement Point, allowing trusted transactions to the enterprise resources. The Policy Engine makes policy decisions based on rules that are then acted on by Policy Administrators.
Subjects - The users, services, or systems that request access or attempt to use rights.
Policy Engines - Make policy decisions based on rules and external systems like threat intelligence, identity management, and SIEM devices. They make the decision to grant, deny, or revoke access to a given resource based on the factors used for input to the algorithm. Once a decision is made, it is logged and the policy administrator takes action based on the decision.
Policy Administrator - Components that establish or remove the communication path between subjects and resources, including creating session-specific authentication tokens or credentials as needed.
Policy Enforcement Points - Communicate with Policy Administrators to forward requests from subjects and to receive instruction from the policy administrators about connections to allow or end. Commonly deployed as a local client or application and a gateway element that is part of the network path to services and resources.

26
Q

Control Plane of a Zero Trust Model

A

Adaptive Identity (Adaptive Authentication) - Leverages context-based authentication that considers data points such as where the user is logging in from, what device they are logging in from, and whether the device meets the security and configuration requirements.
Threat scope reduction (limited blast radius) - Limits the scope of what a subject can do or what access is permitted to a resource limits what can go wrong. Relies on least-privilege as well as identity-based network segmentation. based on ip address, network segment, or VLAN.
Policy-driven access control - Access provided to a subject through policy engines relying on policies as they make decisions that are enforced by the policy administrator and policy enforcement points.
Policy administrator - Executes decisions made by a policy engine.
Implicit trust zones - Allow the use and movement once a subject is authenticated by a zero-trust policy engine.
Subjects and systems - The devices and users that are seeking access
Policy enforcement points - Forward requests from subjects and receive instruction from policy administrators about allowing or denying connections.

27
Q

Network Access Control (NAC)

A

Determines whether a system or device should be allowed to connect to a network. If it passes the requirements set for admission, NAC places it into the appropriate zone.
Ways to process:
Agent - Uses a software agent that is installed on the computer to perform security checks.
Agentless - Running the security check from a browser or another means without installing software.

Agent-based usually are able to determine the security state of a machine by validating patch levels, security settings, a/v versions, and other settings and details before admitting a system to the network.

NAC checks can be performed prior to or after the subject has connected to the network.

The decision on how to implement NAC is based on the organizations security objectives and technical capabilities. Ex. Agentless require less infrastructure, but they are limited on the detail of information they can provide.

28
Q

Port Security

A

A capability that allows a limited number of MAC addresses that can be used on a single port. Provides security against a number of threats:
- MAC address spoofing
- Content-addressable memory table overflows
- Plugging additional network devices to extend network access

Provides security in two ways:
- Limiting the number of devices that can connect to a port
- Limits the MAC address that is allowed to connect to a specific port.

29
Q

Protocol Level Protections

A

Security controls that are used on switches and other network devices
Loop prevention - Detects loops and then disables ports to prevent the loops from causing a network issue. Spanning tree protocol (STP) sends frames with switch identifier that the switch then monitors to prevent loops. Usually due to human error. Ex. Cables in a firewall plugged in backwards. Two ends of a cable plugged into the same switch.
Broadcast Storm Prevention (Storm control) - Prevents broadcast packets from being amplified as they traverse a network.
Bridge Protocol Data Unit (BPDU) - Guard that protects STP by preventing ports from sending BPDU messages that are not permitted to.
Dynamic Host Configuration Protocol (DHCP) Snooping - Preventing rogue DHCP servers from handing out IP addresses to clients in a managed network. DHCP snooping drops messages from any DHCP server that is not on a list of trusted servers, but can be configured to block DHCP messages where the source MAC and the hardware MAC of a network card do not match.

30
Q

Virtual Private Network (VPN)

A

A way to create a virtual network link across a public network that allows the endpoints to act as though they are on the same network.

IPSec VPN - Operate at layer 3, require a client, and can operate in either tunnel or transport mode. Used for site-to-site VPNs or when traffic is more than just web or application.
- Tunnel mode - Entire packets of data are sent to the other end of the VPN connection and are protected.
- Transport mode - The IP header is not protected but the IP payload is.

SSL VPN - Actually use TLS in current implementations, use a portal-based approach, typically HTML5, where users access it through a web page, then access services through that connection, or they can offer a tunnel mode. Are used without an agent installed on the computing device or without a specific endpoint configuration. Ex. Hotel Wi-Fi access.

Remote access VPN - Commonly used for traveling staff and remote workers. Used in an as-needed mode, with remote workers turning on the VPN when they need to connect.
Site-To-Site VPN - Used to create a secure network channel between two or more sites. Frequently set to always on status, and if disconnected, automatically try to re-establish connection.

31
Q

Tunneling

A

A way to move packets from one network to another. Tunneling works via encapsulation: wrapping a packet inside another packet.
Full-tunnel - Sends all network traffic through the VPN tunnel, keeping it secure as it goes to the remote trusted network.
Split-tunnel - Only sends traffic intended for systems on the remote trusted network through the VPN tunnel. Uses less bandwidth for the hosting site.

32
Q

Jump Servers

A

A secured and monitored system used to provide that access. It is configured with tools required for administrative work and is frequently accessed with SSH, RDP, or other remote methods.

33
Q

Load Balancing

A

Used to distribute traffic to multiple systems, provide redundancy, and allow for ease of upgrades and patching.

Two modes of operation:
- Active/active load - Distributes the load among multiple systems that are online and in use at the same time.
- Active/passive load - Brings backup or secondary systems online when an active system is removed or fails to respond properly to a health check.

Scheduling algorithms:
- Round-robin - Sends each request to servers by working through a list, with each server receiving traffic in return.
- Least connection - Sends traffic to the server with the fewest numbers of active connections
- Agent-based adaptive balancing - Monitors the load and other factors that impact a server’s ability to respond and updates the load balancer’s traffic distribution based on the agent’s reports.
Source IP hashing - Uses a hash of the source IP to assign traffic to servers. A randomization algorithm using client-driven input.
Weighted algorithms:
- Weighted least connection - Uses a least connection algorithm combined with a predetermined weight value for each server.
- Fixed weight - Relies on a preassigned weight for each server, often based on capability or capacity.
- Weighted response time - Combines the server’s current response time with a weight value to assign traffic to it.

Load balancers need to establish persistent sessions. The client and server maintain communication throughout the duration of a session.

34
Q

Proxy Servers

A

Accept and forwards requests, centralizing the requests and allowing actions to be taken on the requests and responses. They can filter or modify traffic and cache data, and since they centralize requests, they can be used to support access restrictions by IP address or similar requirements.
- Forward proxies - Placed between clients and servers and accept requests from clients and send to the servers. Conceal the original client so they can anonymize traffic or provide access to resources that might be blocked by IP address or geographic location.
- Reverse proxies - Placed between servers and clients and used to help with load balancing and caching of content. Clients query a single system but have traffic load spread to multiple systems or sites.

35
Q

Web Filters

A

Centralized proxy devices or agent-based tools that allow or block traffic based on content rules.
- Uniform Resource Locator scanning (URL) - Blocking specific URL’s, domains, or hosts4
- Complex - Pattern matching, IP reputation, or other elements built into filtering rules.
Can be configured with Allow or Deny lists as well as rules that operate on content or traffic.

36
Q

Data Loss Prevention

A

Pair agents on systems with filtering capabilities at the network border, email servers, and other likely exfiltration points. Can use pattern matching capabilities or rely on tagging, including metadata to identify data that should be flagged. Actions that can be taken include blocking traffic, sending notifications, or forcing identified data to be encrypted or otherwise securely transferred rather than being sent in an unencrypted state.

37
Q

Intrusion Detection System (IPS)

Intrusion Prevention System (IPS)

A

A tool that will detect (IDS) or prevent (IPS) threats to internal systems and send notifications (IDS) to those responsible for these systems or block the traffic (IPS). Two methods to deploy the tool
- Signature-based detections rely on known hash or signature matching to detect a threat
- Anomaly-based detection establishes a baseline for an organization or network and then flags when out-of-the ordinary behavior occurs.

IPS - Needs to be deployed inline where it can interact with the flow of traffic to stop threats.

38
Q

Types of Firewalls

A

Stateless Firewalls - Packet filters - Filters every packet based on data such as the source and destination IP and port, the protocol, and other information that can be seen in the packet headers.
Stateful Firewalls - Dynamic packet filters - These pay attention to the state of traffic between systems. Make a decision about a conversation and allow it to see the entire traffic flow instead of each packet, providing more context for security decision making.
Next-generation firewalls - NGFW - All-in-one network security devices. These include deep-packet inspection, IDS/IPS functionality, antivirus, antimalware, and other functions. Provide faster and allow more throughout than UTMs. Require more configuration and expertise.
Unified threat management (UTM) - These include firewall, IDS/IPS, antimalware, URL and email filtering, data loss prevention, VPN, and security monitoring and analytics capabilities. Used for more out of the box solution which can be quickly deployed and configured.
Web application firewalls (WAFs) - Security devices designed to intercept, analyze, and apply rules to web traffic, including tools such as database queries, APIs, and other web application tools. Think of it as a firewall and IPS combined. Deep inspection of traffic sent to web servers looking for attacks and attack patterns, then apply rules based on the traffic. Allows real-time attack blocking or the ability to modify traffic to remove potentially dangerous elements in a request.

39
Q

Screened Subnet

A

Used in networks that have both public and private areas, a screened subnet lets users access the internet without exposing the local area network to internet-based cyber attacks or data breaches. It does this by establishing a network between an internal network and an external/presumed hostile network, such as the internet. This ensures that there is no single vulnerable point that could potentially compromise the entire enterprise network.

It uses three network interfaces:

Interface 1 is the public interface connected to the internet.
Interface 2 connects to the demilitarized zone (DMZ) to which hosted public services are attached.
Interface 3 connects to the intranet to provide access to and from internal networks.

40
Q

Access Control Lists

A

Rules that either permit or deny actions. Can be configured as single statements (simple) or multiple entries (complex) applied to traffic.

41
Q

Deception and Disruption Technology

A

Honeypots - Systems intentionally configured to appear vulnerable but are actually heavily instrumented and monitored systems that will document everything an attacker does while retaining copies of every file and command they use.

Honeynets - networks setup and instrumented to collect information about network attacks. A group of honeypots setup to be even more convincing and provide greater detail on the attacker tools due to the variety of systems and techniques required to make it through the group of honeypots.

Honeyfiles - An intentionally attractive file that contains unique, detectable data that is left in an area that an attacker is likely to visit if they succeed in their attacks. Validation of an attack if the file is detected leaving the network or is found outside of the network.

Honeytokens - Data that is intended to be attractive to attackers but is used to allow security professionals to track data. They may be entries in databases, files, directories, or other data assets that can be specifically identified by IPS/IDS/DLP. These systems are then configured to watch for these honeytokens that should not leave the organization or accessed under normal data use, because they are not organizational data.

42
Q

Out-Of-Band Management

A

Including a separate way to access the administrative interface of network devices. This is to ensure if a network is compromised, the administrators may still maintain control of the network devices. Segregate through a management VLAN or an entirely separate physical network.

43
Q

Domain Name System (DNS)

A

Tells systems where to send traffic when a request to access a site is received. DNS is not a secure protocol, it travels in an unencrypted, unprotected state and does not have authentication capabilities.

44
Q

Domain Name System Security Extensions (DNSSEC)

A

DNSSEC provides authentication of DNS data, allowing DNS queries to be validated even though they are not encrypted. Proper configuration of DNS servers is important:
- Prevent zone transfers
- Ensure DNS logging is turned on
- Block DNS requests to malicious sites

45
Q

DNS Filtering

A

Uses a list of prohibited domains, subdomains, and hosts and replaces the response with an alternate DNS response, usually an internal website that notes access was blocked and next steps if access is still needed.

46
Q

Email Security

A

Domain Keys Identified Mail (DKIM) - Allows organizations to add content to messages to identify them as being from their domain. DKIM signs bot the body and elements of the header to validate that the message was sent from an internal source.
Sender Policy Framework (SPF) - An email authentication technique that allows organizations to publish a list of their authorized email servers. SPF records are added to the DNS information for your domain and specify which systems are allowed to send email from that domain.
Domain-based Message Authentication Reporting and Conformance (DMARC) - A protocol that uses SPF and DKIM to determine whether an email message is authentic. DMARC records are published in SNS as well and can be used to determine whether you should accept a message from a sender.
Email Security Gateways - Devices designed to filter both inbound and outbound email while providing a variety of security services.
- Phishing protection
- Attachment sandboxing
- ransomware protection
- URL analysis
- Threat feed integration
- Support for DKI, SPF, & DDMARC checking

47
Q

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

A

SSL/TLS uses certificates to establish an encrypted link between a server and a client. This allows sensitive information like credit card details to be transmitted securely over the internet.

The certificate contains a public key that authenticates the website’s identity and allows for encrypted data transfer through asymmetric, or public-key cryptography. The matching private key is kept secret on the server.

SSL/TLS certificates authenticate identities and enable encrypted connections through the SSL/TLS handshake:
- The client requests access to a protected resource such as a login page.
- The server responds by sending its SSL certificate, including the public key.
- The client verifies that the certificate is valid and trusted. This ensures the server is authentic.
- The client generates a symmetric session key and encrypts it with the server’s public key. This securely transmits the session key to the server.
- The server decrypts the session key with its private key.
- Both parties use the symmetric session key to encrypt and decrypt all transmitted data.
- This handshake allows the two parties to negotiate an encrypted channel without sharing sensitive information over insecure channels. The encrypted session protects data in transit between the client and server.

48
Q

Ephemeral Keys

A

Used in TLS secure transmission and are Diffie-Hellman key exchanges where each connection receives a unique, temporary key. If a transmission is compromised, any transmission that occurred previously or in the future will not be exposed. Provides perfect forward secrecy. (Even if the secrets of the key exchange is compromised, the communication itself will not be.)

49
Q

Simple Network Management Protocol (SNMP)

A

Used to monitor and manage network devices. SNMP objects are listed in a management information base (MIB) and are queried for SNMP information. When a configured device uses SNMP and it encounters an error, it sends a message known as an SNMP trap. SNMP traps are sent to an SNMP manager including information about what occurred so that the manager can take appropriate action.

50
Q

File Integrity Monitoring (FIM)

A

Detect modifications that attackers may cause by changing configuration files, install their own services, or otherwise modify systems that need to be trustworthy. FIM’s create a signature or fingerprint for a file, and then monitors the file and filesystems for changes to those monitored files.

51
Q

Hardening Network Devices

A

A collection of tools, techniques, and best practices to reduce vulnerabilities in technology applications, systems, infrastructure, firmware, and other areas. The goal of systems hardening is to reduce security risk by eliminating potential attack vectors and condensing the system’s attack surface. By removing superfluous programs, accounts functions, applications, ports, permissions, access, etc. attackers and malware have fewer opportunities to gain a foothold within your IT ecosystem.

52
Q

Secure Protocols

A

HTTPS - Hypertext Transfer Protocol over SSL/TLS - Relies on TLS to provide security controls over web traffic

SNMPv3 - Simple Network Management Protocol - Provides authentication of message sources, message integrity validation, and confidentiality via encryption.

SRTP - Secured Realtime Transport Protocol - A secure version of the Real-Time Protocol designed to provide audio and video streams via networks. Uses encryption and authentication to attempt to reduce the likelihood of successful attacks, including replay and denial-of-service attempts.

LDAPS - Secure Lightweight Directory Access Protocol - A TLS protected version of LDAP that offers confidentiality and integrity protections

SSH - Secure Shell - A protocol for remote console access to devices and is a secure alternative to telnet. Also used as a tunneling protocol.

DNSSEC - Domain Name System Security Extensions - Ensures that DNS information is not modified or malicious but does not provide confidentiality. Uses digital signatures allowing systems that query a DNSSEC equipped server to validate the servers signature matches the DNS record.

53
Q

Email Related Protocols

A

Secure/Multipurpose Internet Mail Extensions (S/MIME) - Provides the ability to encrypt and sign MIME data. The content and attachments of an email can be protected, while providing authentication, integrity, nonrepudiation, and confidentiality for messages sent using S/MIME. Requires a certificate for users to be able to send and receive.

54
Q

File Transfer Protocol

A

Secured File Transfer Protocol (SFTP) - Leverages SSH as a channel to perform file transfers. It is easier to get through firewalls since it uses SSH port.

55
Q

Internet Protocol Security (IPSec)

A

An entire suite of security protocols used to encrypt and authenticate IP traffic.
- Authentication Header (AH) - Uses hashing and a shared secret key to ensure integrity of data and validates senders by authenticating the IP packets that are sent.
- Encapsulating Security Payload (ESP) - Operates in either transport mode or tunnel mode. In tunnel mode, it provides integrity and authentication for the entire packet.

56
Q

On-Path Attacks

A

Man-In-The-Middle attack. Occurs when an attacker causes traffic that should be sent to its intended recipient to be relayed through a system or device the attacker controls.
- Used to conduct SSL stripping where TLS encryption is removed to read the contents of the traffic. SSL stripping process:
- User sends an HTTTP request for a webpage
- The server responds with a redirect to the HTTPS version of the page.
- The user sends an HTTPS request for the page they were redirected to, and the website loads.

Man-In-The-Browser attack. Relies on a Trojan that is inserted into a user’s browser. The Trojan is then able to access and modify information sent and received by the browser.

57
Q

Domain Name System Attacks

A

Domain hijacking - Changes the registration of a domain through technical means like a vulnerability with a domain registrar or control of a system belonging to an authorized user or through non-technical means such as social engineering. The end goal is for the domain settings to get modified to allow the attacker to intercept traffic, send and receive email, or take an action while appearing to be the legitimate domain holder.

DNS poisoning - An attacker provides a DNS response while pretending to be an authoritative DNS server. This is an on-path attack. Vulnerabilities in DNS protocols or implementations can also permit poisoning. Also infecting the DNS cache on a system can result in poisoning. Once a malicious DNS entry is in a system’s cache, the attacker can collect information until that cache is purged or updated.

URL redirection - When an attacker takes advantage of a vulnerability and inserts an alternate IP address into a system’s host file.

Domain reputation - Services that provide validation that the domain is a trusted email sender or sends a lot of spam email.

58
Q

Credential Replay Attacks

A

A network attack that requires the attacker to be able to capture valid network data and re-send it or delay it so that the attacker’s own use of the data is successful.

59
Q

Distributed Denial of Service Attack (DDOS)

A

An attack that is conducted from multiple locations, networks, or systems, to overwhelm the target systems to the point they are no longer accessible.
- Volume-based attack - UDP floods - Lower secure protocol and if still being used it can be executed by sending large amounts of traffic to the target host, but it can handle that amount of data.
- ICMP or Ping floods - Sending large numbers of ICMP packets to the target network and it cannot handle the amount of traffic.

Protocol-based attack - SYN flood attack - A SYN is the first step in a three-way handshake, and the SYN-ACK response does not respond, therefore it consumes the TCP stack resources trying to send a response it is unable to provide.

Amplified Denial of Service attack - Take advantage of protocols that allow a small query to return large results like a DNS query. Spoofing a system’s IP address as part of a query can result in the DNS server sending more traffic to the spoofed IP address then was sent to the DNS server, amplifying a small amount of traffic into a large response.

Reflected denial-of-service attack - The spoofed IP address causes a legitimate service to conduct the attack, making it harder to know who the attacker is. When combined with amplified, it can be very difficult to determine where the attacker is originating from and difficult to stop.

Cybersecurity Exam Flashcards (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions