CIS4341 Security and Risk Chapter 7-8
What is network fingerprinting?
Fingerprinting = systematic survey of target org's internet addresses collected during footprinting phase to ID the network services offered by the hosts in that range Reveals info about internal structure and nature of target system
How are network footprinting and network fingerprinting related?
Fingerprinting uses the information gleaned from footprinting to dig deeper into internal structures of the target.
What is network footprinting?
Footprinting = organized research and investigation of internet addresses owned/controlled by target org Collecting publicly available information about a potential target
What is a monitoring (or SPAN) port? What is it used for?
SPAN port = specially configures connection on a NW that views all traffic moving through a device Also used for occasional use in diagnosing NW faults and measuring NW performance
How does a signature-based IDPS differ from a behavior-based IDPS?
Signature-based = searches system for known attack signatures Behavior-based = compares current data and traffic patterns to a normal baseline
What encryption standard is currently recommended by NIST?
Standard: Advanced Encyption Standard (AES): Current federal standard for the encryption of data, as specified by NIST. Based on Rijndael algorithm, developed by VINCENT RIJMEN an JOAN DAEMEN - should be unclassified, publicly disclosed, and available royalty-free worldwide - implements Rijndael Block Cipher with variable block length and key length of 128, 192, 256 bits
What common security system is an IDPS most like? In what ways are these systems similar?
"An IDS works like a burglar alarm in that it detects a violation and activates an alarm." (p. 388) They both can be configured to notify of a break in.
What are the components of PKI?
> Certificate authority: third party that manages users' digital certificates / issues, manages, authenticates signs, and revokes users' digital signatures > Registration authority: third party that operates under the trusted collaboration of the certificate authority and handles day-to-day certification functions / verifying registration information , generating end-user keys, revoking certificates, and validating user certificates > Certificate directories: Central locations for certificate storage that provide a single access point for administration and distribution > Management protocols: Organize and manage communications among CAs, RAs, and end users / functions and procedures for setting up new users, issuing keys, updating keys, revoking keys, and enabling transfer of certificates and status > Policies and procedures: Assist an organization in the application and management of certificates / legal liabilities and limitations
What is the difference between a digital signature and a digital certificate?
> Digital signatures are encrypted message components that can be mathematically proven as authentic > Digital certificates are public-key container files that allow PKI system components and end users to validate a public key and identify its owner. > Difference: A digital certificate is a wrapper for a key value. A digital signature is a combination of a message digest and other information used to assure nonrepudiation. 10. What is the difference between a digital signature and a digital certificate?
What is a hash function, and what can it be used for?
> Hash function: Mathematical algorithms > Use: Generates a message summary/digest to confirm message identity and integrity
If you were setting up an encryption-based network, what key size would you choose and why?
> Key size: 128+ > Why: The current "gold standard" is to ensure that all computing device are capable of AES 256 bit encryption. The more bits, the better. 128 gives you 19 sextillion years,
What is the typical key size of a strong encryption system used on the Web today?
> Key size: WPA used 128-bit keys, and NextGen Wireless Protocols such as RNS uses up to 256
IPSec can be implemented using two modes of operation. What are they?
> Modes: Transport and Tunnel > Transport: Only packet's IP data is encrypted, NOT the IP headers; this allows intermediate nodes to read source and destination addresses. > Tunnel: ENTIRE IP packet is encrypted and inserted as the payload in another IP packet. Systems at the ends of the tunnel must act as proxies to send and receive the encrypted packets and transmit the packets to their destination
Which security protocols are used to protect e-mail?
> S/MIME (Secure Multipurpose Internet Mail Extensions): Security protocol that builds on the encoding format of the multipurpose internet mail extensions protocol and uses digital signatures based on public key cryptosystems to secure email. > PEM (Privacy-Enhanced Mail): A standard proposed by the internet engineering task force that uses 3des symmetric key encryption and RSA for key exchanges and digital signatures > PGP (Pretty Good Privacy): Hybrid cryptosystem that combines some of the best available cryptographic algorithms. 14. Which security protocols are used to protect e-mail?
What are the most popular encryption systems used over the Web?
> SET, SSL, S-HTTP, Secure Shell (SSH-2), and IP Security (IPSec) > SET (Secure Electronic Transactions): --Developed by MasterCard and Visa in 1997 to protect against electronic payment fraud --Uses DES to enrcypt card info transfers and RSA for key exchange --Internet-based AND in-store swipes > SSL (Secure Sockets Layer): --Developed by Netscape to use a public-key encryption to secure a channel over the Internet --Most popular browsers use it --Provides 2 protocols in TCP framework: SSL Record Protocol and Standard HTTP > S-HTTP (Secure HTTP): --Extended version of HTTP --Provides for encryption of protected Web pages transmitted via Internet between client and server --Application of SSL over HTTP, protected and secure virtual connection --Designed for sending indiv messages over the Internet, so session must be established --Provides confidentiality, authentication, and data integrity > IPSec (IP Security): --PRIMARY and DOMINANT cryptographic authentication and encryption product --Created by IETF's IP Protocol Security Working Group --Made for TCP/IP family of protocol standards --Provides application support for all users in TCP/IP, including VPNs --Protect data integiryt, user confidentiality, and authenticity at IP level --Defined in REquest for Comments (RFC) 1825, 1826, 1827 --Widely used to create VPNs --Open framework --Includes IP Sec protocol itself --Used to secure comms across IP-based networks such as LANs, WANs, and Internet
Which security protocols are predominantly used in Web-based electronic commerce?
> Secure HTTP (S-HTTP): An extended version of HTTP that provides for the encryption of protected web pages transmitted via the internet between a client and server > Secure Sockets Layer (SSL): A security protocol developed by Netscape to use public key encryption to secure a channel over the internet. > Secure Electronic Tansactions (SET): A protocol developed by credit card companies to protect against electronic payment fraud.
What is steganography, and what can it be used for?
> Steganography is the process of hiding messages. > Used to hide a message in the digital encoding of a picture/graphic so it's impossible to detect that the hidden message even exists / protects confidentiality of information in transit. Steganography is a process used to hide messages within digital encoding of pictures and graphics. It is a concern for security professionals because hidden messages can contain sensitive information that needs to be protected. 12. What is steganography, and what can it be used for?
What are the three basic operations in cryptography?
> Substitution Cipher: One value is substituted for another > Transposition Cipher: Block values are rearranged based on an established pattern. AKA permutation cipher > Exclusive OR operation (XOR): Two bits are compared; identical = 0, not identical = 1 4. What are the three basic operations in cryptography?
Which kind of attack on cryptosystems involves using a collection of pre-identified terms? Which kind of attack involves sequential guessing of all possible key combinations?
> Uses pre-identified terms: Dictionary attack > All possible key combinations: Brute force attack
What is Metasploit Framework? Why is it considered riskier to use than other vulnerability scanning tools?
A collection of exploits coupled with an interface tha allows pen testers to automate the custom exploitation of vulnerable systems. It can be very dangerous as it exploits the remote machine and allows the vulnerability analyst to create an account, modify a Web page, or view data.
How does a false positive alarm differ from a false negative alarm? From a security perspective, which is less desirable?
A false positive is an alert that occurs in the ABSENCE of an actual attack. A false negative is the failure of an IDPS to react to an actual attack event. The less desirable is a false NEGATIVE.
What is a vulnerability scanner? How is it used to improve security?
A software program that scans a range of network addresses and port numbers for open services. Should be proficient at finding known, documented holes.
What is the difference between active and passive vulnerability scanners?
Active = An application that scans networks to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers Passive = A scanner that listens in on a network and identifies vulnerable versions of both server and client software. Difference: active scans to find highly detailed info; initiate traffic, while passive merely listens in on the network Active scanner: initiates network traffic to find and evaluate service ports. Passive scanner: uses traffic fro m the target network segment to evaluate the service ports available from hosts on that segment
How does a network-based IDPS differ from a host-based IDPS?
An NIPDS is an IDPS that resides on a computer connected to a segment of the org network and monitors traffic on that segment An HIDPS resides on a PARTICULAR computer/server and monitors activity ONLY ON THAT SYSTEM
Why do many organizations ban port scanning activities on their internal networks?
An attacker can use an open port to send commands to a computer, potentially gain access to a server, and possibly exert control over a networking device.' Rule of thumb: Don't need the port? SECURE IT OR GET RID OF IT.
What is an open port? Why is it important to limit the number of open ports to those that are absolutely essential?
An open port is an open communication channel to the computer, system, network, server, etc. An attacker can use an open port to send commands to a computer, potentially gain access to a server, and possibly exert control over a networking device.' Reduces attack surface
What is a system's attack surface? Why should it be minimized when possible?
Attack surface = The functions and features that a system exposes to unauthenticated users. It should be minimized to minimize the potential for latent defects and unintended consequences to cause losses (433).
List and describe the three control strategies proposed for IDPS. (416)
Centralized Control Strategy: All control functions are implemented and managed in a central location. > Fully Distributed Control Strategy: All control functions are applied at the physical location of each IDPS component. > Partially Distributed Control Strategy: Combines the best aspects of centralized and fully distributed strategies. The individual agents analyze and respond to local threats and report to a hierarchical central facility.
What was the earliest reason for the use of cryptography?
Concealing military and political secrets while they were transported from place to place Julius Caesar (50 B.C)
What is a cryptographic key, and what is it used for? What is a more formal name for a cryptographic key?
Cryptographic key = Information used in conjunction with the algorithm to create the ciphertext from plaintext or derive the plaintext from ciphertext. Can be a series of bits used in a math algorithm of the knowledge of how to manipulate the plaintext. Formal name: Cryptovariable
What are cryptography and cryptanalysis?
Cryptography = The process of making and using codes to secure information Cryptanalysis = The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption
What is a honeypot? How is it different from a honeynet?
Honeypot = app that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while the SW notifies the admin of intrusion Honeynet = NETWORK of multiple honeypot systems.
How does a padded cell system differ from a honeypot?
Honeypot = app that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while the SW notifies the admin of intrusion Padded cell system: A PROTECTED honeypot not easily compromised
Why would ISPs ban outbound port scanning by their customers? [should be expounded]
ISPs might ban outbound port scanning, because it may put a significant load on the system in some situations. Additionally, outbound scanning might trigger harmful response from a malicious party in the untrusted network.
What is the fundamental difference between symmetric and asymmetric encryption?
In symmetric encryption, the key that is used to encrypt/decrypt is the same and anyone that is in possession of the key can decrypt an encrypted transmission. In asymmetric encryption, there is an "A" key and a "B" key. Either key can be used to encrypt, but only the opposite key can be used to decrypt the message. 7. What is the fundamental difference between symmetric and asymmetric encryption?
How does public-key Infrastructure add value to an organization seeking to use cryptography to protect information assets?
PKI makes the use of cryptographic systems more convenient and cost-effective. Enable the protection of information assets by making verifiable digital certificates readily available to business applications Greatest value when one key serves as a private key and the other serves as a public key
What kind of data and information can be found using a packet sniffer?
Network traffic
What does it mean to be "out of band"? Why is it important to exchange keys out of band in symmetric encryption?
Out of band: Using a channel or band other than the one carrying ciphertext > Importance: The primary challenge of symmetric key encryption is getting the key to the receiver, and it mus be done OUT OF BAND. Key exchange must either be done OUT OF BAND or using a secured method so that the key is not intercepted and used to read the secret message.
What critical issue in symmetric and asymmetric encryption is resolved by using a hybrid method like Diffie-Hellman?
The Diffie-Hellman exchange uses session keys, which protects data from exposure to third parties, which is sometimes a problem when keys are exchanged out of band.
What capabilities should a wireless security toolkit include?
The ability to sniff wireless traffic, scan wireless hosts, and assess the level of privacy/confidentiality afforded on the wireless network.