Chapter 8 Network Risk Management
DRDoS
a DoS attack bounced off of uninfected computers, called reflectors, before being directed at the target. This is achieved by spoofing the source IP address to make it look like all of the requests for the response are being sent by the target, then the reflectors send their responses to the target, thereby flooding it with traffic.
unintentional DoS attack
a DoS situation that is created unintentionally and without malicious intent, such as when a Web site is flooded with an unexpectedly high amount of shopping traffic during a flash sale
user awareness
a NGFW (Next Generation Firewall) feature that adapts a firewall's configuration to the class of a specific user or user group
Application Control
a NGFW (Next Generation Firewall) feature that gives a firewall some level of application awareness functionality, meaning the firewall can monitor and limit the traffic of specific applications, including the application's vendor and digital signature
zombie
a computer used without the owners knowledge or consent
RF emanation
a condition created by the leaking of radio or electrical signals from computer equipment
honeypot
a decoy system that is purposely vulnerable and filled with what appears to be sensitive content
lure
a decoy system that, when attacked, can provide unique information about hacking behavior
intrusion prevention system
a dedicated device or software running on a workstation, server, or switch, that stands between the attacker and the network or host, and can prevent traffic from reaching the protected network or host
consent to monitoring form
a document that ensures employees are made aware that their use of company equipment and accounts can be monitored and reviewed as needed for security purposes
application aware
a feature that enables a firewall to monitor and limit the traffic of specific applications, including the application's vendor and digital signature
Next Generation Firewall
a firewall innovation that includes advanced, built-in features, including Application Control, IDS and/or IPS functionality, user awareness, and context awareness
virtual wire mode
a firewall installation in which the firewall is transparent to the surrounding nodes, as if it were just part of the network transmission media (stealth mode)
stateful firewall
a firewall that is able to inspect each incoming packet to determine whether it belongs to a currently active connection, and therefore, is a legitimate packet
stateless firewall
a firewall that is able to inspect each incoming packet to determine whether it belongs to a currently active connection, and therefore, is a legitimate packet
host-based firewall
a firewall that protects an entire network
network-based firewall
a firewall that protects an entire network
botnet
a group of computers requisitioned in coordinated DDoS attacks without the owners' knowledge or consent
honeynet
a group of several honeypots
domain local group
a group of workstations that is centrally managed via Active Directory for the entire network
reverse proxy
a host that provides services to Internet clients from servers on its own network. Provides identity protection for the server rather than the client. Particularly useful when multiple Web servers are accessed through the same public IP address.
access control list
a list of statements used by a router to permit or deny the forwarding of traffic on a network based on one or more criteria
slave zombie
a lower-layer host in a botnet
hardening technique
a measure taken to help reduce security risks on a network
buffer overflow
a memory problem in which a buffer's size is force beyond its allotted space, causing the operating system to save data in adjacent memory areas.
port mirroring
a monitoring technique in which on port on a switch is configured to send a copy of all its traffic to a second port
proxy server
a network host that runs a proxy service
quarantine network
a network segment that is situated separately from sensitive network resources and might limit the amount of time a device can remain connected to the network. Provides a relatively safe holding place for devices that do not meet compliance requirements or have been compromised
Nessus
a penetration testing tool from Tenable Security that performs sophisticated vulnerability scans to discover information about hosts, ports, services, and software
metasploit
a penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits
penetration testing
a process of scanning a network for vulnerabilities and investigating potential security flaws
Trojan horse
a program that disguises itself as something useful but actually harms your system. Does not replicate itself.
virus
a program that replicates itself with the intent to infect more computers, either through network connections when it piggybacks on other files or through the exchange of external storage devices
worm
a program that runs independently and travels between computers and across networks. Although these do not alter other programs as viruses do, they carry viruses.
Internet Relay Chat
a protocol that enables users running special IRC client software to communicate instantly with other participants in a chat room on the Internet
packet-filtering firewall
a router, or computer installed with software that enables it to act as a router, that examines the header of every packet of data that is receives to determine whether that type of packet is allowed to continue to its destination
network policy
a rule or set of rules that determines the level and type of access granted to a device when it joins a network
dynamic ARP inspection
a security feature on a switch that monitors ARP messages in order to detect faked ARP messages
DHCP snooping
a security feature on switches whereby DHCP messages on the network are checked and filtered
backdoor
a security flaw that allows unauthorized users to gain access to the system
Unified Threat Management
a security strategy that combines multiple layers of security appliances and technologies into a single safety net
proxy service
a software application on a network host that acts as an intermediary between the external and internal networks, screening all incoming and outgoing traffic.
agent
a software routine that collects data about a managed device's operation or compliance with security benchmarks, and provides this information to a network management application
TEMPEST
a specification created by the NSA to define protection standards against RF emanation
intrusion detection system
a stand-alone device or software running on a workstation/server/switch that is used to monitor network traffic and create alerts when suspicious activity happens. Installed to provide security INSIDE the network.
network access control
a technology solution that balances the needs for network access with the demands of network security by employing a set of rules, called network policies, to determine the level and type of access granted to a device when it joins the network. Authenticates and authorizes devices by verifying that the device complies with predefined security benchmarks, such as whether the device has certain system settings, or whether it has specific applications installed
posture assessment
a thorough examination of each aspect of a network to determine how it might be compromised
smurf attack
a threat to the networked hosts in which the host is flooded with broadcast ping messages. This attack is a type of DoS attack.
host-based intrusion prevention system
a type of IPS that protects an entire network and is situated at the edge of the network or in a network's DMZ
network-based intrusion prevention system
a type of IPS that protects an entire network and is situated at the edge of the network or in a network's DMZ
wildcard mask
a variation of a network address that specifies a network segment (group of IP addresses) by using 0s in bits that must match the network address and 1s in bits that can hold any value. Used in ACL statements to dictate which traffic can or cannot pass through.
file-infector virus
a virus that attaches itself to executable files. When the infected executable file runs, the virus copies itself to memory. Later, the virus attaches itself to other executable files.
boot sector virus
a virus that positions its code on the boot sector of a computer's hard disk so that, when the computer boots up, the virus runs in place of the computer's normal system files. These are commonly spread from external storage devices to hard disks.
network virus
a virus that propagates itself via network protocols, commands, messaging programs, and data links. Although all viruses could theoretically travel across network connections, these are specially designed to attack network vulnerabilities.
macro virus
a virus that takes the form of a macro (such as the kind used in a word-processing or spreadsheet program), which may execute when the program is in use.
vulnerability
a weakness of a system, process, or architecture that could lead to compromised information or unauthorized access
nonpersistent agent
also called a dissolvable agent. An agent that remains on a device long enough to verify compliance and complete authentication, then uninstalls.
implicit deny
an ACL rule which ensures that any traffic the ACL does not explicitly permit is denied by default
context aware
an NGFW (Next Generation Firewall) feature that enables a firewall to adapt to various applications, users, and devices
security audit
an assessment of an organization's security vulnerabilities performed by an accredited network security firm
ping of death
an attack in which a buffer overflow condition is created by sending an ICMP packet that exceeds the maximum 65,535 bytes, often resulting in a system crash.
session hijacking attack
an attack in which a session key is intercepted and stolen so that an attacker can take control of a session. One type of this attack is called a man-in-the-middle attack.
FTP bounce
an attack in which an FTP client specifies a different host's IP address and port number for the requested data's destination. By commanding the FTP server to connect to a different computer, a hacker can scan the ports on other hosts and transmit malicious code. To stop these attacks, most modern FTP servers will not issue data to hosts other than the client that originally placed the request.
flashing
an attack in which an Internet user sends commands to another Internet user's machine that cause the screen to fill with garbage characters. Causes the user's session to terminate
IP spoofing
an attack in which an outsider obtains internal IP addresses and then uses those addresses to pretend that they have authority to access a private network from the Internet
DDoS
an attack in which multiple hosts simultaneously flood a target host with traffic, rendering the target unable to function
amplification attack
an attack instigated using small, simple requests that trigger very large responses from the target. DNS, NTP, ICMP, and SNMP lend themselves to being used in this kind of attack.
PDoS attack
an attack on a device that attempts to alter the device's management interface to the point where the device is irreparable. Usually targets routers or switches
MitM attack
an attack that relies on intercepted transmissions. It can take one of several forms, but in all cases a person redirects or captures secure data traffic while in transit
jamming
an attacker creating a high volume of illegitimate wireless traffic and overwhelming a network
reflector
an uninfected computer used in a DDoS attack where the computer is tricked into responding to a bogus request for response, prompting a computer to send a response to the attacker's target
master zombie
an upper-layer host in a botnet
physical attack
another name for a PDoS attack
friendly attack
another name for an unintentional DoS
malware
any program or piece of code designed to intrude upon or harm a system or its resources. This includes viruses, Trojan horses, worms, and bots.
phishing
attempting to glean access or authentication information by posing as someone who needs the information
inbound traffic
data received by a device on its way into a network
acceptable use policy
explains to users what they can and cannot do, also well as penalties for violations, and how these measures protect the network's security
content-filtering firewalls
firewalls that can block designated types of traffic based on application data contained within packets. Example: blocking a site with adult content from being accessed on a school network
Group Policy
gpedit.msc. This utility is a Windows console that is used to control what users can do and how the system can be used. Makes entries in the Registry; applies scripts to Windows start-up, shutdown, and logon processes; and affects security settings.
security policy
identifies security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for each team member, and responsibilities for each employee. It also specifies how to deal with security breaches. Does not state exactly which hardware, software, architecture, or protocols will be used to ensure security. Does not state how hardware or software will be installed and configured.
social engineering
manipulating social relationships to gain access
persistent agent
more robust kind of agent. May provide additional security measures, such as remote wipe, virus scans, and mass messaging.
DoS attack
occurs when a system becomes unable to function because it has been inundated with requests for services and can't respond to any of them. As a result, all data transmissions are disrupted.
network-based intrusion detection system
protects a network and is usually situated at the edge of the network or in a network's protective perimeter, the DMZ. Can detect many types of suspicious traffic patterns, including ones that indicate DDoS attacks or smurf attacks
host-based intrusion detection system
runs on a single computer to alert about attacks on that one host
network segmentation
separating portions of a network in order to protect some resources while granting access to other resources
bot
short for robot, a program that runs automatically. Can spread viruses or other malicious code between users in a chat room by exploiting the IRC protocol
SIEM
software that can be configured to evaluate data logs from IDS, IPS, firewalls, and proxy servers in order to detect significant events that require the attention of IT staff according to predefined rules
port scanner
software that searches a node for open ports
zero-day exploit
takes advantage of a software vulnerability that hasn't yet become public, and is known only to the hacker that discovered it
hacking
the act of finding a creative way around a problem, increasing functionality of a device or program, or otherwise manipulating resources beyond their original intent
spoofing
the act of impersonating fields of data in a transmission, such as when a source IP address is impersonated in a DRDoS attack.
exploit
the act of taking advantage of a vulnerability
emission security
the implementation of TEMPEST. Also called EmSec.
hacker
traditionally, a person who masters the inner workings of computer hardware and software in an effort to better understand them. More generally, an individual who gains unauthorized access to systems or networks with or without malicious intent
outbound traffic
traffic attempting to exit a network
data breach
unauthorized access or use of sensitive data
banner-grabbing attack
when a hacker transmits bogus requests for connections to servers or applications in order to harvest useful information to guide their attack efforts
ARP cache poisoning
when attackers use faked ARP replies to alter ARP tables in a network