IST 233 Exam 1
2.1.4 What is a proprietary technology standard? Provide a few examples. Why do vendors have mixed emotions about standards?
These are de-facto standards driven by market adoption (e.g., Windows)—defacto since its so widespread but still controlled by windows. Vendors would rather lock you into their proprietary solutions. Industry consortia sometimes develop quasi-public standards.
1.2.3 Explain why we sometimes refer to the Netflix/Amazon partnership as an example of coopetition?
Since Netflix partners with AWS to deliver its content through their data servers (benefitting both financially), yet Amazon Prime competes with Netflix.
3.2.3 What is a malware propagation vector? Provide several examples.
Propagation vectors describe how malware is distributed to and planted on computers. • E-mail attachments • Visits to infected web sites • Peer-to-peer file sharing • Insecure mobile apps • USB solid state drives • Self-propagating worms
2.2.4 Explain the purpose and operation of the TCP 3-way handshake.
Purpose: start up a session so reliability can be ensured (not used in unreliable protocol like UDP). Communication takes place in both direction—Host B wants to ensure that Host A received packets without error, so Host A will respond and confirm that it received the correct message, and then Host B will send the entire message
2.2.2 What are the two key elements found in nearly every network packet? What is the third element found in some packets? What is a packet field? How many bits are there in a field? What's the difference between a frame and a segment?
• Header (address info, error correction and detection) & Data Field (actual message) • Trailer in some packets (normally layer 2) • The packet field is where the actual message is stored—data field • A frame exists at layer 2 (Ethernet) while a segment is at layer 4 (TCP) •In a destination/address packet, there are 32 bits
2.4.2 Count in binary from 0 decimal to 9 decimal. How many unique decimal numbers can be expressed using 8 bits? What about 9 bits? Explain how the different values of a 2-bit binary number could be used to represent the basic compass directions (north, south, east and west) on a computer.
0, 1, 10, 11, 100, 101, 110, 111, 1000, 1001 7 bits: 128 possible ASCII codes 8 bits: 256 possible ASCII codes Can make 4 different numbers and assign them to directions: North-01, South-10, East-11, West-00
1.1.2 What role did the following individuals play in the development of the Internet? Bob Taylor, Larry Roberts, Len Klienrock.
1. Bob Taylor: director of ARPA"s Information Processing Techniques, planned to build computer network to connect the ARPA-sponsored projects 2. Larry Roberts: designed and managed the first packet network (ARPANET) 3. Len Klienrock: pioneered the mathematical theory of packet networks
3.6.4 What are the two methods used by Intrusion Prevention Systems to identify possible attacks. What is the difference between a false positive and a false negative. Which one is more serious?
1. Detect packet signatures 2. Detect variations from baseline traffic Two key problems with IPS • False positive: IPS signals an attack which doesn't really exist. • False negative: IPS fails to identify an attack that is actually taking place (more serious)
3.3.3 What are the two major classes of hacker motivation? Explain why social engineering is thought to be one of the greatest information security threats. Explain the difference between phishing and spear-phishing.
1. Financial motivation: credit cards, bank accounts, etc. 2. Non-financial motivation: revenge, political goals, etc. Social Engineering: targets human psychological gullibility. E.g. tricking someone into plugging a USB stick into their computer/clicking a link Phishing usually uses authentic-looking mass e-mail's to entice users to enter authentication credentials. Spear phishing customizes attack to specific target audiences using personalized information
2.1.3 What are the two major open network standards organizations? Are these standards truly open or are they disproportionately influenced by major vendors?
1. IEEE (Institute of Electrical and Electronic Engineers) (L1 and L2) 2. IETF (Internet Engineering Task Force) (L3 and L4) Allows for broad participation, not controlled by a single vendor. However, vendors tend to dominate these organizations because they have the financial resources to support participation.
2.1.2 Name the 5 layers of the hybrid network model and provide an example of a technology or protocol at each layer. In what way is the 5-layer network architecture similar to home architecture?
1. Physical (UDP Cable)—UDP datagrams 2. Data Link (Ethernet)—frames 3. Internet (IP)—packets 4. Transport (TCP)—segments 5. Application (HTTP) Home architecture has specialist to build home and each network layer has special expertise.
1.6.4. Describe the major features found in a home wireless access router?
1. Router—forwards data packets along networks, determine the best path for forwarding the packets, and they use protocols to communicate with each other and configure the best route between any two hosts. 2. Ethernet switch—device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) and therefore support any packet protocol. 3. DHCP server
1.2.4 In your own words, briefly describe the five network system attributes and provide an example for each one.
1. Scalability—technology can scale to growth of organization (most important) 2. Interoperability—operating seamlessly on a range of devices and networks 3. Securability—meeting security needs of partners & customers 4. Manageability—automating technology management functions to reduce costs 5. Availability—system can make itself available
2.4.3 Without using a calculator, convert 137 to binary. Convert 10101111 to decimal.
10001001; 175
1.3.4 You are living in an apartment with 3 room-mates and you'd like to have enough capacity to support 4 simultaneous FHD video streams. How much bandwidth do you need? What if one of your video-addicted roommates buys a 4K TV?
20 Mbps, 35 Mbps
4.3.2 Explain the 3-tier enterprise network architecture. Provide examples of network technologies used at SU for access, distribution, and core tier services.
3-Tier Enterprise Network Architecture 1. Access tier (aka Edge tier): Ethernet switches and Wi-Fi AP's provide network access for users. How users connect computers to internet. Wifi and Ethernet 2. Distribution tier: Interconnects all Ethernet access switches within a building and links a building to the backbone tier. Ethernet switches 3. Backbone tier: Centralized, high-performance interconnection of building or departmental networks and core data center servers. Connects to internet. Ethernet and routers We call this a hierarchical hybrid topology. This design incorporates mesh, star, and bus architecture, sometimes point-to-point as well. Most host traffic flows from the edge to the core and back.
1.3.1 What is meant by the concept of a networked application architecture? How does the terminal-to-host architecture differ from the client/server architecture?
A networked application architecture has a request/respond relationship on a shared network thus each host requires a unique address. Terminal-to-host architecture: legacy—application processing is centralized on mainframe. Terminals display simple content requiring minimal network bandwidth. Client/server architecture: Widely used today (request/response). Application processing is split between clients and servers—provides for richer applications but requires faster networks. "The Network is the Computer" meaning applications can't run without fast networks
3.5.4 What are the three core functions of a AAA system? How does SU use this technology on the AirOrangeX network?
AAA Servers provide authentication, authorization, and auditing services 1. Authentication verifies digital identity. • Simple ID/Password is most common • Advanced methods include token systems, biometrics, and MFA 2. Authorization determines access privileges after authentication. • Which files do you have access to on a server? • What subnets on a network can you gain access to? 3. Auditing maintains logs and records of system/network usage. AirOrangeX uses a RADIUS AAA server linked to Microsoft ADS—needs to be robust otherwise slow network performance
3.1.2 What is BYOD and why does it introduce new vulnerabilities for enterprise IT? What new mobile e-mail policies were implemented by to protect against vulnerabilities? How did users react to these changes?
BYOD (bring your own device) heightens risk of data leakage and exposes vulnerabilities if users download unsecure applications that can spread throughout the network. New email policies implemented include: • Use of 4-digit PIN at device power-up • Data will be wiped after 20 consecutive unsuccessful PIN attempts Many faculty and staff objected to the inconvenience
4.5.3 Explain the function of Simple Network Management Systems? Why is it called "simple?" What do we mean when we say SNMP is extensible?
Centralized network management systems often use the Simple Network Management Protocol (SNMP). • SNMP is open and extensible, it can be used to manage a variety of devices. • SNMP helps facilitate fault, configuration, performance, and security management as well as accounting. • Managed devices run SNMP agents that monitor performance parameters and share data with the management station. • The management station polls devices and displays device alerts and alarms SNMP is simple, it has a limited set of commands • Management station can send Get commands to retrieve information from a managed device, which transmit SNMP responses. • Management station can send Set commands to configure managed devices. • Agents can send traps (alerts and alarms) if a pre-defined threshold has been exceeded (e.g., packet error rate exceeded 5% during the last 60 seconds).
3.1.5 Describe the STUXNet attack on Iran's nuclear weapons program. What is a zero-day attack and why are they the most serious security threats? What are the implications of this attack as relates to global political conflict?
Computer worm released in 2010. Targeted control systems for Iranian nuclear centrifuges, causing them to fail. Worm was developed by US and Israeli intelligence agencies, propagated through Windows and USB memory sticks. Employed social engineering and multiple zero-day exploits. Zero-day exploits are security vulnerabilities for which patches have not been released, as in nobody knows about them other than the creators and directors. Social engineering required because systems were not connected to Internet, needed to exploit a gullible human. Demonstrated the cyber capabilities of western intelligence agencies. Raised awareness that similar attacks could be used against critical US infrastructure
3.2.4 What is a Distributed Denial of Service (DDoS)? Why are these attacks often challenging to contain? What's the difference between a bot, a botnet, and a botmaster.
DDoS: make a computer or entire network unavailable to legitimate users, often by flooding the victim computer with attack packets and potentially overloading the host to the extent that it fails Bots: are malicious programs secretly planted on network hosts, usually deployed in order to mount DDoS Hosts can be user computers or IoT-type devices, like video surveillance cameras, which often have vulnerabilities that haven't been patched. Botmaster: controls the Bot army, instructing hundreds or thousands of Bots to mount attacks. Botnets: not about stealing information, but more for rendering systems to be unavailable by bombarding them with so much network Defense is similar to the whack-a-mole arcade game, you whack one mole and another one pops up.
1.6.3 Explain the function of DHCP and DNS servers and describe how they provide an example of the request-reply architecture.
DHCP (Dynamic Host Configuration Protocol) servers dynamically assign network addresses and other host configuration parameters using the request-response application architecture. Automatically assigns an IP address. DNS (domain name service) servers assign hierarchical names to hosts. DNS servers also resolve names into their associated IP addresses, another example of the request-reply architecture. DNS handles name resolution [translates symbolic names (www.espn.com) into numeric address]
1.3.3 What is the difference between a network's data rate and its throughput? What is overhead and why is it so important?
Data Rate = rated speeds defined by standards Throughput = speed application data can reliably move across network—always lower than data rate (includes overhead) data rate - overhead = throughput Overhead = factors that reduce network efficiency—many types: packet, protocol, interference, etc.
2.3.2 What is a port address and why do we need port addresses to support networked applications on multitasking computers?
Destination IP address will get a packet to your computer. Software port addresses are the addresses of specific applications running on a multitasking computer. Computers usually have one IP address but many port addresses. A destination port address will get your packet to a specific application.
2.4.4 What is digital content encoding? Explain how ASCII encoding is used to transmit letters and numbers on a digital network. Explain how encoding works for very large multimedia content. Where does a codec come into play?
Digital content encoding is the process of translating content into 1's and 0's to transit a message on a network. Early computer applications were mostly text and used ASCII encoding. Today's multimedia requires more complex encoding ASCII Encoding: uses 7 or 8 bits to represent numerals, letters, punctuation, and control characters. With 7 bits, there are 128 possible ASCII codes. With 8-bit ASCII, there are 256 possible codes, allowing for international characters and special symbols Codec: Software that encodes, compresses and decodes multimedia content
1.5.3 Why do we employ layered communications on the Internet?
Each layer reflects a specific and different function that has to be performed in order for program-to-program communication to take place between computers. Each layer has its own purpose.
3.2.2 What is a vulnerability? What do we mean when we say that hackers are increasingly targeting up-the-stack vulnerabilities? What is a human vulnerability?
Early malware targeted networks and systems, which have been hardened over time. Today, most attacks are "up the stack," targeting application vulnerabilities. Human vulnerabilities include security exposures that are the result of poor business processes or user gullibility.
3.3.4 How can organizations defend against human vulnerabilities amongst non-IT and IT staff. Explain the ethical dimension of internal IT security.
Employee security policies • Define acceptable use of enterprise IT resources • Explain responsible use of employee-owned mobile devices and remote access to enterprise resources • Define consequences associated with policy violations • Employees must be educated and policies must be enforced IT staff security policies • Support from the top: mission criticality and $$ • Security culture, educating IT staff about evolving security threats • Implement best practices for network, system, and application development and management • Address the ethical elements of employee/customer privacy
2.5.2 Explain vertical stack communication as relates to a web client host on a Wi-Fi network trying to send a request to open a web page to a server. How does encapsulation and decapsulation fit into this process?
Encapsulation: placing the contents of one layer into the data field of a lower layer packet. 1. Encapsulation of HTTP message in data field of TCP segment 2. Encapsulation of TCP segment in data field of IP packet 3. Encapsulation of IP packet in data field of Ethernet frame 4. Conversion of bits into outgoing signals (physical layer) The opposite process happens on the destination host, we call that decapsulation
3.4.2 At which network layers is encryption used? What are the advantages and disadvantages of implementing encryption and multiple layers simultaneously?
Encryption can be used at all network layers except the physical layer. As long as encryption is strong, there is no added value in multi-layer encryption. Since encryption is computationally complex, it adds overhead and may negatively impact performance and system scalability.
3.4.1 Explain what is meant when we say encryption uses mathematical methods to convert plaintext to cyphertext. What is an encryption key and how is it delivered?
Encryption uses mathematical methods to convert plaintext to ciphertext. Plaintext isn't limited to alpha-numeric text, it can be any kind of encoded digital content that needs to be protected. Encryption can be employed at all network layers except the physical layer. Encryption methods define mathematical algorithms, they are not secret. Encryption keys -- long strings of 1's and 0's - are used with methods to convert plaintext to ciphertext. They must be kept secret.
2.2.3 Explain the function of the following packet fields:
Ethernet: Source & destination address: to and from MAC address Data field: contents almost always IP packet (more overhead with IP than Ethernet) Frame Check Sequence: provides error detection NOT correction—Packet bits are transferred into a unique signature 4 bit equation. Receiving end performs same sequence and equation for error DETECTION IP: Version number: 4 bits—0100 for v4 and 0110 for v6 Source and destination address: 32 bits/octets (know this) Data field: usually a TCP segment or UDP datagram Time to Live (TTL) field: used to control infinite packet loops TCP: Source and destination port number: allow segments to be delivered to a specific application on a host Sequence number: used to perform error correction and proper ordering of application data Data field: contains the application messages (e.g. HTTP Get command) Flag fields: used to send "instructions" between hosts. If SYN flag is set to 1 then the source host is requesting a TCP connection. SYN (1) and ACK (0) are part of negotiations between computers UDP: Source and destination port number: used to connect to specific applications like TCP. Since UDP does not perform error correction it has much less overhead than TCP
4.1.1 Explain how the FCAPS model relates to enterprise network and systems management. Fault; Configuration; Accounting/Auditing; Performance; Security.
FAULT: identify and fix problems (faults), identify root cause of system or network failures. CONFIGURATION: insure hosts/network devices are properly configured AUTOMATION: track usage, maintain logs, analyze events PERFORMANCE: monitor performance & availability, conduct capacity planning SECURITY: evaluate threats; plan, protect, respond
4.5.1 Define fault management. Why is fault management such a challenging endeavor on multi-vendor enterprise networks? What is root cause analysis?
Fault management focuses on identifying and fixing network problems. • Best-case scenario when faults occur • User calls help desk: I am having a network problem, I can't connect to any off-campus servers. • Help desk responds: We are aware of the problem and we are estimating that it will be corrected within an hour. I will assign you a trouble-ticket and follow up if that changes. • This is not an easy task System complexity and root-cause analysis • Most enterprise networks include products from multiple vendors and each one usually has its own management system. • While management systems may provide alarms that certain network services are down, they may not identify the root cause of a problem. • Fault management requires correlation and analysis of alerts and alarms.
3.6.1 What is the function of a firewall? What is the difference between a border firewall, an internal firewall, and a host firewall?
Firewalls control network traffic Ingress (into the network) and Egress (out of the network) Border firewall: installed between a private network and the public Internet Internal firewall: installed between subnets inside an enterprise network Host firewall: installed between a computer OS and its network interfaces
1.4.2 Interpret the diagrams: fragmentation and reassembly; packet switching.
Fragmentation & reassembly: the original message gets fragmented into small packets, travels through switches, and reassembles at the destination Packet switching: Packet switching uses intelligent forwarding (destination address, hop count, link speed, congestion). Advantage of multiple switches and connections? Reliability and redundancy—creates alternate path for packets. Key issue with packet switching? How does packet make decision to switch to B or C. Packet switch networks provide more reliability.
4.2.1 What are the key factors driving change in information security management.
High visibility security incidents have gained attention from CEO's. Chief Information Security Officers (CISO's) are emerging, developing and implementing new information security policies. New threats target the full network stack, from physical layer to application layer, requiring broad technical expertise.
3.6.3 What is the difference between intrusion detection and intrusion prevention? What are countermeasures and provide several examples. Where are intrusion prevention systems deployed?
IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) both increase the security level of networks, monitoring traffic and inspecting and scanning packets for suspicious data. The main difference between one system and the other is the action they take when an attack is detected in its initial phases (network scanning and port scanning). IDS • provides the network with a level of preventive security against any suspicious activity • achieves this objective through early warnings aimed at systems administrators • not designed to block attacks IPS • Monitor network traffic to detect packet attack signatures. • Monitor network traffic to detect variations from baseline traffic. • Intrusion Prevention = Intrusion Detection + Countermeasures Possible Countermeasures • Disable an incoming or outgoing port • Disconnect a user and lock their account • Mount an ethical denial of service counterattack IPS can be Host-based or Network-based, most organizations use both.
2.3.1 How many bits are there in an IPv4 address? How about IPv6? What is dotted-decimal format? Provide an example.
IPv4 = 32 bits IPv6 = 128 bits IPv4 addresses use dotted-decimal notation (e.g. 128.23.18.43)
1.6.1 What is an Internet Service Provider (ISP)? How do ISP's cooperate in order to provide global Internet services?
ISP's transit providers and network access points—commercial, consumer, mobile When you connect to your ISP, you become part of their network. The ISP may then connect to a larger network and become part of their network. The Internet is simply a network of networks. Most large communications companies have their own dedicated backbones connecting various regions.
4.5.2 Why is configuration management so critical to performance and security? What are the three major alternatives for performing configuration management.
Internetwork devices have system configurations • Network addresses, port configurations, security parameters • Many products have thousands of configurable settings Configuring Network Devices • Command line interface (CLI): manually enter commands or create scripts that quickly configure multiple parameters. • Web interface: more user friendly than CLI but tedious and time-consuming, good for a home wireless router, not so good for a campus network with 5,000 wireless access points. • Network management systems employ protocols like SNMP to automate configuration management tasks.
1.1.3 What was the motivation for Bob Kahn and Vint Cerf's TCP/IP protocol suite?
Lack of interoperability—packet switched networks were proprietary and couldn't communicate
3.2.1 Define Malware. What is the difference between a virus and a worm? Why is mobile code malware an increasingly important concern for IT.
Malware: general name for any malicious software. Exploits network, systems and human vulnerabilities. e.g. computer viruses, worms, ransomware, keystroke loggers, rootkits, etc. Viruses: destructive code concealed within applications, usually transmitted via e-mail attachments, file-sharing, USB sticks, etc. Worms: stand-alone programs planted on user computers or servers, often with the ability to secretly self-replicate, spreading the code to other systems. Mobile code: often concealed within web page applets or scripts that are designed to make apps easier to use—browsers have become computing platforms—need to protect
4.1.2 With respect to network management, what was Hewlett Packard implying in their white paper about network management tools entitled "A Fool with a Tool is Still a Fool?"
Management Tools won't magically solve your problems. Managers need to address the entire network and system life-cycle, from design and implementation to phase-out. Managers need to understand all the potential pain points across all of their networks and systems, especially interconnect points—as well as have good management tools
2.2.1 Summarize the 3 main characteristics of network standards: message syntax, message semantics, and message ordering.
Message syntax: Defines the location, size and order of packet fields. Most packets have a header and data fields, some have trailers Message semantics: Defines the meaning of digital data contained within a field. A field might contain an address or it might include digital codes that will be meaningful to a destination host. Message ordering: Defines rules for packet sequencing and turn-taking. Example: All Wi-Fi data frames must be followed by an ACK
1.6.2 What is Net Neutrality? Describe both sides of the debate. Are you in favor of or opposed to it? Why?
Net neutrality is the principle that Internet service providers treat all data on the Internet equally, and not discriminate or charge differently by user, content, website, platform, application, type of attached equipment, or method of communication—no packet has priority over another. Advocates claim it is needed to protect consumers and smaller content providers Opponents claim regulation will discourage technical and business innovation Classifies Internet Service as a utility service subject to regulations under a framework created to regulate telephone companies—outdated regulatory framework
4.4.2 Explain how the concept of network Quality of Service (QoS) relates to the key network performance metrics. What happens when network traffic levels exceed capacity if you have implemented QoS guarantees? Why is overprovisioning a popular alternative to implementing QoS guarantees?
Network QoS involves classification and prioritization of network traffic • Application packets are classified based on performance requirements • Video has minimum throughput requirements. • VoIP has fairly strict latency requirements. • QoS capabilities prioritizes packets based on their classification. • End-to-end QoS guarantees require complex configuration. • However, it may be relatively easy to prioritize traffic on certain devices like routers and firewalls. Where possible, network managers overprovision • Overprovisioning involves designing the network with more capacity than is required. We sometimes call that "throwing bandwidth at the capacity problem." • Give users a GigE connection even if they don't need it. Incremental cost is modest. • Overprovisioning may not be an effective strategy for wide area networks where more bps costs substantial more money.
4.3.1 Define network topology and differentiate between physical and logical topology. Describe the following topologies: point-to-point; bus; star; ring; mesh. How does SU's network employ multiple topologies?
Network topologies depict how network devices are interconnected—driven by the type of network/underlying network technologies (ethernet = star. Wifi=bus) Often hybrid topologies Logical topologies: defines the "ordering" of packet exchanges Physical topologies: the way devices are physically interconnected 1. Point-to-point: simplest network topology. A network consisting of two devices. Consumer example: A Wi-Fi Direct connection allowing screen mirroring from a smartphone to a smart TV. Enterprise example: A wireless bridge connecting two buildings 2. Bus: uses a shared medium. Gen1 Ethernet, shown below, used a bus topology, a single network cable that all devices shared. Today, Ethernet uses a star topology, which is more reliable. Wi-Fi is a logical bus topology, all hosts connected to an AP are sharing a radio channel. Users compete for access. 3. Star: common and reliable. Switched Ethernet uses a star topology—all hosts connect to a central switch. Some people refer to Wi-Fi as a physical star, logical bus. 4. Ring: declined in popularity. All hosts cooperate and take turns using the network - they pass an access token to the next host. IBM Token Ring was a popular alternative to Ethernet LANs but it is now a legacy LAN technology, same for FDDI a popular early LAN backbone technology. WAN Carrier SONET rings use a counter-rotating ring topology 5. Mesh: used on the Internet and many enterprise networks to provide redundant connections that facilitate high availability. Each host connects to at least two other hosts. Mesh topology provides redundancy (high availability) but it is also expensive to implement. The Internet uses a mesh topology, as does the SU network backbone. Most reliable, most expensive.
3.6.2 What is the difference between packet filtering, stateful inspection, and deep packet inspection firewalls? Which one has the highest overhead? Which one is easiest to implement and manage?
Packet filtering firewalls: uses access control lists (ACL's) to restrict ingress and egress Example: disallow incoming connections from 128.230.0.0—EASIEST Stateful Inspection firewalls: monitor TCP connection openings and closings. Reject any packets that are not part of an existing connection. Deep packet inspection (next generation) firewalls: Scan the contents of every packet, searching for application or malware signatures. Allows for restrictions based on application type—HIGHEST OVERHEAD NAT Firewall: Hosts using NAT cannot be directly attacked from the Internet—simple for home networks
1.1.1 Prior to the ARPANET network, circuit switching was dominant, deployed to support telephones. How did packet switching change networking?
Packet switching is fundamentally different than the circuit-switched technology that was used for phone networks. Packet switching divides the input flow of information into small segments, or packets, of data which move through the network in a manner similar to the handling of mail but at immensely higher speeds. This method offers substantial economic and performance advantages over conventional systems—resulting in rapid worldwide acceptance of packet switching for low-speed interactive data communications networks
1.5.1 Why does every computer on the Internet require a unique address?
Packets are addressed to destination hosts on shared networks.
1.4.3 What do we mean when we refer to the Syracuse University internetwork? What do we mean when we say that the SU Internet routers multiplex traffic from users across campus?
Packets of different conversations are multiplexed, reducing the cost per conversation—multiplexing combines traffic from multiple users on shared network. core tier, distribution tier, edge tier. We need this at Syracuse because lots of users
2.5.3 Explain why two networked hosts using the TCP 3-way handshake to set up a reliable connection are engaging in horizontal, peer-process communication?
Peer-process communication that occurs between two software devices on a computer passes information through a wire horizontally. Request-reply architecture between alike layers e.g. app to app layer. Indirect communication since it needs to travel down the stack, over, then up the stack—it relies on lower layer services. Handshake all about error correction & reliability. Negotiating port numbers (destination) and sequence numbers (keeps track of errors) during handshake. Application to application, transport to transport, network to network
3.1.4 What is Penetration Testing? What was the goal of spear-phishing attack mounted on SU's behalf? Was it successful? Why?
Penetration Testing: asses internal ITS security practices—security enforcement starts at the top (white hat hackers) Assume the identity of someone outside their organization who was relatively well-known and trusted. Spoof an e-mail from that person asking the recipient to click on a web link and enter their NetID and password. Spoofed email from Molta and was successful in getting people to click on the link
3.1.3 How did Russian hackers penetrate John Podesta's e-mail account? What were the consequences of this attack?
Podesta—chairman of Clinton's campaign—victim of spear-phishing attack on his GMAIL account Podesta received a spoofed e-mail indicating his gmail account had been hacked, instructed him to click on a link to reset his password. His administrative assistant forwarded it to their IT support, they suggested that he should change his password and they provided a link. Podesta clicked the link in the spoofed e-mail, not the link provided by IT Many years of his e-mail were posted on WikiLeaks
3.3.1 Describe the two different meanings of the term hacker and provide examples. What is vulnerability assessment and how does it relate to ethical hacking? What is the most serious type of information security vulnerability?
Positive: rapid code development designed to solve a problem e.g. hackathons/penetration testing Negative: the intentional use of a computer resource without authorization or in excess of authorization. E.g. botnet/malware Hacking your own systems to identify vulnerabilities = white hat hackers--Many security firms specialize in vulnerability assessment. Black hat hackers hack other systems, typically to cause harm Zero-day attack = unknown vulnerability that has not yet been detected by vendor, only known by those organizing and directing the attack. MOST SERIOUS TYPE
4.2.2 Explain the following security planning principles: risk analysis; comprehensive security; defense in depth; weakest link analysis; single point of failure; least permissions in access control.
Risk Analysis: Evaluation of potential risks an organizational is vulnerable to. Protecting against all possible threats is incredibly expensive. Organizations must assess the costs and benefits of security protections. Comprehensive Security: Implement full-stack security analysis and protection. An attacker only needs one unprotected vulnerability to succeed. Defense in Depth: Security is like an onion. Force hackers to peel back multiple layers of the security onion. Identify Weakest Links and Single Points of Takeover: A single weak link can compromise protection, technical or human. Identify single points of takeover, like a firewall policy server. Assign Least Permissions: Implement strict policies for access control, authorization, and permissions. Grant exceptions through a systematic and well-documented process. These occur in the "Plan" part of plan-protect-respond
4.2.3 Explain the role that policy plays in security management. Provide several examples related to SU information security, including SU's Information Technology Acceptable Use Policy.
Security policies drive security processes. An Acceptable Use Policy defines organizational standards for use of information technology. Security experts implement policies and audit compliance. Policies are usually defined and enforced centrally. Policy-makers assess risk and consider the legal and regulatory environments. Policy-makers gather information and cultivate support from stakeholders. Should the CISO report to the CIO or to the CEO?
1.5.2 Why does your computer have multiple addresses?
So traffic can be directed to separate browsers. The MAC (EUI-48) address is static, it is burned into your computer's network interface card (NIC). IP address is dynamic, assigned to your computer based on your physical location.
4.4.1 Why is network speed so challenging to measure? Explain the difference between individual throughput and aggregate throughput in the context of a wireless router installed in a home with a large family of users. What is the difference between reliability and availability? What are the key factors influencing network latency?
Speed measurement is complex • Where to measure: Edge or core of network. • What to measure: Individual and aggregate performance. • When to measure: Peak usage periods. • How to measure: Quick and dirty versus systematic. Individual throughput: only an individual's share of that aggregate throughput. Aggregate throughput: total amount of speed available to users Availability means a system is running and performing to specifications. Four-9's (99.99%) and Five-9's (99.999%) reliability are often goals. Availability is more complex than reliability. High-availability (HA) means you have adequate capacity, redundancy, and fail-over. Even if a server responds to pings, that doesn't mean application services are running. Even if applications are running, that doesn't mean they are performing at acceptable performance levels.
2.1.1 Explain how network standards facilitate product interoperability, stimulate competition, and stimulate lower prices. What is an ASIC and how does it fit into standards? Why is seamless interoperability an impossible challenge?
Standards enable interoperability between products from different vendors since all products abide by same standards. Standards stimulate industry competition and innovation because standards stimulate chip makers to develop application specific integrated circuits (ASICs). Without these standards, technological advancements could be incompatible and therefore prevent growth and development. Competition and ASICs lead to lower prices as a way to make a product more attractive to customers and because not as many new parts must be changed/developed. Seamless interoperability is impossible because things change—robustness principle will have us be very specific in what we send and accept
3.5.1 What is the function of a client host's security supplicant? What is the function of a server's authenticator? Explain how challenge-response systems allow for secure authentication without the need to transmit passwords over the network.
Supplicant: software transmits credentials (e.g., user ID and password, fingerprint, etc.) to authenticator Authenticator: authentication server Challenge-Response Authentication • This is used to avoid sending clear-text passwords. • Server sends supplicant a "phrase" encrypted using the user's hashed password as a key. • Client uses its hashed password to unencrypt the phrase and send it back to the server. • If the decrypted phrase matches the original phrase, the server knows that the passwords match. • Hacker can see hashes (not passwords)
3.4.3 Differentiate between symmetric and asymmetric encryption. Why would anyone choose to use asymmetric encryption if symmetric encryption is simpler, faster, and lower overhead? How are they sometimes used together?
Symmetric (shared-key) encryption • Each host uses the same secret key to encrypt and decrypt data. • Fastest form of encryption, low overhead • Secure key distribution is a challenge • Works well in small environments—home networks—more efficient Asymmetric (public-key) encryption • Two keys are used: public key and private key • The public key is freely distributed, it is not secret. • Data encrypted using a web site's public key can only be decrypted using the associated private key, which is only known to the web site. • Web sites secure public keys from a trusted certificate authority. Because I trust the certificate authority, I trust the key. Asymmetric encryption is often used to securely distribute symmetric shared keys.
1.5.4 What is the difference between an end-to-end protocol like TCP and a hop-to-hop protocol like IP?
TCP (and HTTP) needs to send packet to the destination. IP deals with getting packet to next router/hop and not the destination.
3.1.1 In what way were the Equifax and Home Depot incidents similar? How did they differ?
The Equifax attack targeted networked applications, which is today's most fertile ground for hacking. More specifically, it targeted the open-source Apache Struts web application framework. Once Struts was compromised, the attackers were able to compromise systems installed inside the Equifax network and elevate their security privileges in order to perform database queries against legacy servers. Because they were inside the Equifax network, perimeter security protections had no impact. Also, legacy systems often have less security than newer systems. Since this was an advanced persistent attack, the hackers used various techniques to avoid detection, including the use of at least 35 different IP addresses. The attack was detected by FireEye—a managed security services provider. The Home Depot attack targeted check-out registers (Point of Sale terminals). Host intrusion prevention features disabled due to excessive false positives. Failure to install encryption software for credit card data. AV Software was out-of-date. Lack of management commitment. Former employees claimed management accepted "C-level security," concerned about: (1) Expense to organization and (2) Inconvenience to employees and customers. Both compromised millions of sensitive data for consumers
2.3.3 What is a socket? Explain how a socket is similar to the following apartment address: 123 Main Street, Apartment 7.
The combination of IP address and port number is called a socket. An IP address to deliver packets to your computer. A port address to deliver the data to the correct browser tab. Similar to an apartment address, a socket defines the computer and the specific browser. E.g. 10.23.3.87:23
2.5.1 What is a network protocol stack? Where might you find one? Which protocol layers of the stack are implemented in hardware and which layers are implemented in software?
The network stack is the software and hardware needed to implement layered network protocols on a host. Layers 1 and 2 are usually hardware • L2 Wi-Fi network interface card (NIC)—composes most hardware • L1 Radio antenna Layers 3 and 4 are usually software • When your computer boots, it starts software processes that implement IP, TCP, and UDP—run as background processes on every internet host Layer 5 implemented in application software
1.3.2 Explain the key dimensions of network speed using the perfect shower as an analogy. Why is it important to use metric abbreviations when representing network speed?
Throughput: how fast can networked systems move data (upstream/downstream) e.g. high water pressure and downstream water drains quickly (bps) Latency: delay/lag of individual packets caused by network processing, buffering, congestion, and physics (distance & speed of light) e.g. minimal delay waiting for hot water (ms) Jitter: is latency consistent or variable? E.g shower maintains constant temperature
3.3.2 Identify three examples of traditional hackers. Identify several examples of emerging hackers. Which type of hacker do you think represents the greatest threat to organizations?
Traditional Hackers: Script Kiddies are hackers that use freely available hacking tools without fully understanding their operation. Technology warriors seeking to advance their technical knowledge and elevate their status within hacking communities. Disgruntled ex-employees looking to get even. Emerging Hacker Threats: Insider and partner threats (MOST DANGEROUS) Organized criminal attackers Cyberterrorists Whistleblowers Government sponsored cyber-espionage and cyber-warfare
4.3.3 Explain the key factors associated with network traffic analysis. How do physical environment constraints impact network design?
Traffic Analysis: define application performance requirements. • Assess user density, the number of simultaneous users accessing the network in different physical locations. • Analyze temporal traffic patterns, peaks and valleys at different times of the day/week. Physical Environmental Constraints • On complex networks, you will be constrained by the physics of distance and your ability to install cabling. • Wi-Fi network design is heavily dependent on the age and architecture of facilities • Open cubicle environments are easy to cover but walled offices will require more AP's for adequate coverage. • Sports arenas are notoriously difficult for Wi-Fi installation, too much interference.
1.2.2 What key internal technologies allowed Netflix to transition their business model from DVD rental to streaming media? How did their use of AWS factor in?
UI with AI capabilities, transcoding of media across different display devices, and their content distribution network (CDN) to enhance performance. Since Netflix lacked data and server center infrastructure they outsourced to Amazon.
1.4.1 How does the public highway system and computerized mapping applications provide analogies of how packet-switched networks operate?
Unlike the legacy telephone network, packet switched networks use best effort data delivery—unpredictable but highly efficient/economical for computer communication. Packets to/from multiple hosts are multiplexed using network protocols like TCP/IP and Wifi. A shared highway with rules (protocols): observe speed limit, drive in right lane, etc. Circuit switched networks (legacy telephones) used dedicated circuits to provide guaranteed capacity. Inefficient use of bandwidth—like reserving a highway lane for exclusive use
2.2.5 What is the fundamental difference between a reliable and an unreliable network protocol? Why is TCP is referred to as a high-overhead, connection-oriented, reliable transport protocol? Why would anyone choose to use an unreliable protocol? Is Ethernet reliable or unreliable? What about Wi-Fi?
Unreliable Network Protocol: Best-effort protocols may perform error detection but not error correction. Unreliable protocols are usually quite "reliable," just no guarantee. Normally do error DETECTION (not correction) e.g. Ethernet—unlikely to encounter errors if wired correctly, VoIP/other real time applications (use UDP) Reliable Network Protocol: Detect AND correct packet transmission errors. TCP is used by many applications that require reliability. However, most network protocols are unreliable. There's no need for IP to be reliable because TCP handles reliability. E.g. wifi—lots of interference over air heads—worth incurring more overhead with error correction Error correction = more overhead
3.5.3 Why is it a very bad idea to use a single password for all Internet sites? How does an automated password management system compare to a manual password management system?
Using a single ID and password on all website makes all of your data vulnerable if any of those systems are hacked. Maintaining unique passwords for all systems and writing them down is inconvenient and also insecure. Automated password management systems like Dashlane and Keeper allow you to securely store and retrieve unique passwords on multiple systems. Manual password management systems limit vulnerability.
3.4.4 Explain how virtual private networks use encryption? What's the difference between a remote-access VPN and a VPN-WAN? Which one does SU use?
VPN's encrypt Internet communications creating secure tunnels 1. Remote-access VPN's can be used by individuals to gain secure access to enterprise systems or to protect privacy and confidentiality over the Internet (e.g., SURA, SU Remote Access VPN). 2. VPN WANs allow organizations to use the Internet as a secure backbone linking multiple geographic locations (e.g., SU Lubin House).
3.5.2 What's the difference between a weak password and a strong password? What's the difference between a dictionary and a brute-force password attack? What other protections can be put in place to improve password-based authentication?
Weak passwords are often based on common words and are vulnerable to dictionary attacks, which are simple carry out. Strong passwords are long and use a mix upper and lower case letters, numbers, and other keyboard characters ($, #, etc.), making them less vulnerable to brute force attacks. Short passwords are vulnerable to brute force attacks, trying every combination of letters, numbers and keyboard characters. A dictionary attack means that you probe only passwords/keys from a dictionary (which does not contain the complete keyspace). A brute force attack is primarily used against the encryption algorithm itself Other password administration protections: • Scheduled password changes and no password reuse • Account lockout after unsuccessful authentication attempts • Multi-factor authentication (MFA): know something and have something (e.g. access code and finger-print)
2.3.4 What is a server well-known port number? What are the well-known port numbers for HTTP and HTTPS? What would be the consequences if you set up a web server and you changed the default well-known port number?
Well known port numbers are popular server applications defined by standards for browsers. Changing well known port numbers will direct you to a different site (e.g. test environment) HTTP = 80 HTTPS = 443
2.3.5 What is a client host ephemeral (temporary) port number? Would there be a conflict if two clients attached to the same server coincidentally chose the same ephemeral port number?
When your client wants to connect to a web server, it specifies 80 or 443 as the destination port number. The client host also selects a unique ephemeral port number in the range of 1024 to 65535. The combination of source port number and source IP address define a globally unique identifier for the network application on your computer. No, because the clients will have different IP addresses, so different socket addresses.
2.4.1 In your own words, describe the decimal numbering system? What does it mean to say you were socialized in decimal?
You can immediately process the value of numbers in decimal.
1.2.1 Provide an example of each of the 3 alternative cloud services: SaaS; IaaS; and PaaS. Which approach has the greatest potential for reducing IT staff costs?
•Software as a Service (SaaS): Gmail, Office365, Salesforce.com—greatest potential for reducing IT staff costs •Infrastructure as a Service (IaaS): Google Drive, AWS •Platform as a Service (PaaS): MS Azure, IBM Cloud PaaS
4.1.3 Differentiate between strategic, tactical, and operational network management.
•Strategic: 3-5 years; network design, supported standards, strategic vendors, business-IT alignment, staffing •Tactical: fiscal year; product acquisition, testing, deployment •Management: day-to-day; network monitoring, problem resolution/help desk, incident response