Security Threat Landscape

Question 1

Evolution of a Targeted Attack

Answer 1

External reconnaissance
Initial compromise
Escalation of privileges
Internal reconnaissance
Further compromise
Further escalation of privileges
End goal

Question 2

Reflection & Amplification

Answer 2

A reflection attack is a DoS attack where the attacker spoofs the victim’s source address
The attacker sends traffic supposedly from the victim which elicits a response from “reflectors”

Amplification causes a large amount of response traffic to the victim

Question 3

Stateful Firewalls

Answer 3

Maintain a connection table which tracks the two-way “state” of traffic passing through the firewall

Return traffic is permitted by default

Question 4

NGFW

Answer 4

Deep packet inspection up to layer 7

Different permissions can be applied to different users

Question 5

Packet Filters

Answer 5

An ACL policy is a packet filter

Packet filters do not maintain a connection table

Affect traffic in one direction only

If you have an ACL applied on the way out only, the return traffic is not blocked
If you have ACLs applied in both directions, you will need explicit entries to allow both outbound/inbound traffic

Question 6

ACL Keyword: Established

Answer 6

Checks for the “ack” flag in return traffic
This does not make the router a stateful firewall

Question 7

IOS Firewall

Answer 7

You can configure a router as a stateful firewall with the IOS Firewall feature set

Uses different commands than ACLs

Question 8

Internal & External Threats

Answer 8

Standard practice is to use firewalls on major security boundaries
–And augment with internal ACLs

Sensitive hosts should also have firewall/IPS protection from internal hosts

Question 9

Cryptography Services

Answer 9

Authenticity
Confidentiality
Integrity
Non-repudiation

Question 10

HMAC

Answer 10

Hash-Based Message Authentication Codes:

Provides data integrity
Sender creates a hash value from the data to be sent using a symmetric key
Hash value is appended to data
Receiver hashes the data with the same shared key
If hash values match, data hasn’t been altered in transit
Used for large transmissions (email, secure web traffic, IPsec)
Algorithms: MD5, SHA, & More

Question 11

PKI

Answer 11

Public Key Infrastructure:

Key Distribution Problem
–Each site needs to know the shared key
–But one party can’t send shared key over internet connection
—–Because an attacker could sniff it

PKI solves the secure key distribution problem

Uses a trusted introducer (CA) for the two parties who need secure communication
Both parties need to trust the CA

Question 12

TLS

Answer 12

Transport Layer Security:
TLS is the successor to SSL (Secure Sockets Layer: Deprecated)
Can be used to provide secure web browsing

Uses symmetric cryptography
–Symmetric keys generated uniquely for each connection

Authentication is provided by public key cryptography
Message Authentication Code provides integrity

Question 13

Site-to-Site VPNs

Answer 13

Use symmetric encryption algorithms
Traffic inside an office is often unencrypted as it is seen as a trusted network

VPN tunnels can also be deployed internally

Cisco TrustSec is another solution for internal authentication/encryption

Typically terminate on a firewall or router on both sides

A pre-shared key can be configured on both sides of the tunnel or certificates can be used
–Certificates offer a more scalable solution

Question 14

IPsec

Answer 14

Framework of open standards that provide secure encrypted communication on IP network

Question 15

IPsec: IKE

Answer 15

Internet Key Exchange:
Handles negotiation of protocols & algorithms, & generates the encryption & authentication keys

Question 16

IPsec: ISAKMP

Answer 16

Internet Security Association & Key Management Protocol:
Defines the procedures for authenticating and communicating peer creation and management of Security Associations (SAs)

Typically uses IKE for key exchange

Question 17

IPsec: AH

Answer 17

Authentication Header:
Provides integrity, authentication, & anti-replay

Question 18

IPsec: ESP

Answer 18

Encapsulating Security Payload:

Provides confidentiality, integrity, authentication, & anti-replay
More commonly used than AH

Question 19

IPsec: ESP Tunnel Mode

Answer 19

Protects the internal routing info by encrypting the IP header of the original packet

Original packet is encapsulated by another set of IP headers

Widely implemented in site-to-site VPNs

Question 20

IPsec: ESP Transport Mode

Answer 20

Encrypts only the payload & ESP trailer
–IP header of original packet is not encrypted

Implemented for client-to-site VPNs

Usually used when another tunneling protocol (like GRE, L2TP) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets

Question 21

IPsec Implementation

Answer 21

Interesting Traffic:
The VPN devices recognize the traffic to protect

ISAKMP/IKE Phase 1:
VPN devices negotiate an IKE security policy, authenticate each other & establish a secure channel

ISAKMP/IKE Phase 2:
VPN devices negotiate an IPsec security policy to protect IPsec data

Data Transfer:
VPN devices apply security services to traffic, then transmit the traffic

Question 22

Client-to-Site VPNs

Answer 22

Please refer to video course & slides for example

Question 23

Phishing & Data Exfiltration

Answer 23

Cisco ESA (Email Security Appliance) scans links/attachments in incoming email for malware, phishing attacks, & spam
Cisco WSA (Web Security Appliance) prevents users from accessing dangerous sites

Policies can also be implemented on the ESA & WSA to prevent sensitive info from being sent out of the organization

Policies/procedures should be implemented
–How/what info can be sent or taken outside company premises
–Security awareness

Question 24

Reconnaissance & Social Engineering

Answer 24

Low level recon & social engineering can use very low tech methods to get info

As such it is difficult for IT to use technical solutions to protect against them

Staff security awareness/education is key
Policies/procedures

IPS can defend against deeper recon (which uses port & vulnerability scanners)
–Not normal for a host to scan through a range of port numbers
–Can detect & drop that traffic
–Attacker may circumvent by running scan over a longer period of time

Question 25

DDoS

Answer 25

Distributed Denial of Service:

IPS can detect via anomaly-based inspection

Advanced firewalls can offload incoming connection attempts from servers when traffic rate reaches threshold
–And respond with quicker connection timeouts and/or cookies

Anti-DDoS services (like Arbor Networks) monitor global internet traffic to detect botnets & CC servers
–On premises & cloud based solutions which scrub traffic when an organization is under attack (DDoS)

Geographic dispersion of an organization’s services can help mitigate

Question 26

Spoofing, MITM, & Reflection Attacks
(uRPF)

Answer 26

uRPF (Unicast Reverse Path Forwarding)
–Verifies a source IP is reachable through the same interface it was received on
–When an attacker spoofs a source IP, they do not receive return traffic so they do not see the sequence numbers in TCP responses from the target

A target may be more vulnerable to attacks if it uses predictable TCP sequence numbers
–Applications should patched/updated to prevent this
–When in traffic path, advanced firewalls can also randomize TCP sequence numbers

Secure authentication
DAI detects & blocks ARP spoofing attacks

Question 27

Password Attacks

Answer 27

Firewalls & packet filters should be configured to prevent illegitimate users from having connectivity to log in

Secure password policies
–Complexity, expiration, history, length, etc

Use MFA
Educate staff about social engineering

Question 28

Buffer Overflow

Answer 28

Software should be updated/patched so that it rejects malformed packets

Question 29

Packet Sniffers

Answer 29

Packet filters & firewalls should be used to ensure traffic paths are controlled

Traffic should be authenticated/encrypted if it passes over an untrusted network