Chapter 19: Protecting Your Network
Agent
a process or program running within the computer that scans the computer to create an inventory of configuration information, resources, and assets. When the workstation attempts to connect to the network through a posture assessment-enabled device, it is the agent that answers the security query. comes in two flavors: persistent agent and non-persistent agent
Spyware
a function of any program that sends information about your system or your actions over the Internet
Trojan Horse
a piece of malware that looks or pretends to do one thing while, at the same time, doing something evil does not replicate
Amplification (Dos)
a tactic that focuses on sending small requests that trigger large responses reflected at your target
Posture Assessment
a way to expose or catalog all the threats and risks facing an organization checks things like type and version of anti-malware, level of QoS, and type/version of operating system.
Defense in Depth
acknowledgment that the network is never completely secure should design your security posture with the assumption that every single defense can be beaten.
Non-Persistent Agent
agent that doesn't stay in a client's station memory It is executed prior to login and may stay resident during the login session but is removed from client RAM when the login or session is complete.
What is a cross-platform method to responding to posture assessments?
an 802.1X supplicant in the form of either an agent or a client installed in on a device
Services
an OS's important programs that run in the background
Exploit
an actual procedure for taking advantage of a vulnerability
Zero-Day Attacks (Network Threat)
an attack that leverages a previously unknown vulnerability that had zero days to fix or mitigate.
DNS Cache Poisoning
an attacker poisoning a DNS server's cache to point clients to an evil Web server instead of the correct one.
Rogue Devices (Network Threat)
an unauthorized node on a network
Virus Shields
anti-malware program that passively monitor a computer's activity, checking for viruses only when certain events occur, such as a program executing or a file being downloaded.
Ransomware
any form of malware that makes you pay to get malware to go away
Macro
any type of virus that exploits application macros to replicate and activate is also programming within an application that enables you to control aspects of the application
Protocol Abuse (Network Threat)
anytime you do things with a protocol that it wasn't meant to do and that abuse ends up creating a threat
Phishing Attack (Social Engineering)
attacker poses as some sort of trusted site and solicits you to update your private/personal information, such as a credit card number
ARP Cache Poisoning (Network Threat)
attacks targeting ARP caches on hosts and MAC address tables on switches
Password Attacks (Network Threat)
bad actor uses various methods to discover a password, often comparing various potential passwords against known hashes of passwords
Logic Bomb
code written to execute when certain conditions are met, usually with malicious intent
On-Path Attack/Man-in-the-Middle Attack (Network Threat)
communication tapped into between two systems, covertly intercepting traffic, reading or changing the data and then sending the data on perpetrated using ARP poisoning
System Life Cycle Policies
cover everything from how to plan and provision new IT systems to asset disposal performing a factory reset/wipe configuration is sufficient for asset disposal
DHCP Snooping
creates a database (DHCP snooping binding database) of MAC addresses for all of a network's known DHCP servers and clients
Crypto-Ransomware
crypto-malware using a ransom
Implicit Deny (Firewall)
denies a permission until the user or group is allowed to perform the permission
Malware (Network Threat)
describes any program or code that's designed to do something on a system or network that you don't want to have happen
Firewall
devices or software that protect an internal network from unauthorized access by acting as a filter can filter traffic coming in and going out of a network
VLAN Hopping (Physical/Local Access Attack)
enables an attacker to access a VLAN they'd otherwise have no access to works by using a system connected to the VLAN and feeding the switch VLAN commands, convincing to change your port to a trunk port
Router Advertisement Guard (RA-Guard)
enables the switch to block router advertisements and router redirect messages that are not sent from trusted ports or don't match a policy
Availability (CIA)
ensures that systems and data are available whenever they needed ensured in various ways, including system redundancy, data backups, business continuity, and other means
Traffic Flood
excessive or malformed packets—to conduct DoS attacks on networks and hosts, targeting vulnerable switches through their switch ports
What can switches use to protect themselves against traffic floods?
flood guards: detects and blocks excessive traffic
Confidentiality Integrity and Availability (CIA)
foundations of the IT security trade put into practice through various security mechanisms and controls ensuring at least one goal of the CIA triad
Rogue Anti-Malware
free anti-malware applications are actually malware
Worm
functions similarly to a virus, though it replicates exclusively through networks
Physical DoS Attack
going to where the servers are located and shutting them down or disconnecting their Internet connections
Brute Force (Password Attack)
guessing every permutation of some part of data any attempt to guess the contents of some kind of data field that isn't obvious (or is hidden)
Session Hijacking (Network Threat)
intercepting a valid computer session to get authentication information
R U Dead Yet (RUDY) Attack (DoS)
mainly used on Web servers where the attacker fills out a Web form with a ton of content and opens a connection to submit it the attacker takes their sweet time trickling a few bytes at a time to the server, tying up a connection the server needs to serve legitimate traffic
DHCP Starvation Attack (DoS)
spoofing packets to the DHCP server, tricking it into giving away all of its leases a technique used to encourage clients to switch to a rogue DHCP server that the attacker controls.
TEMPEST
standards created by the U.S. NSA that defines how to shield systems and manifests in a number of different products (coverings for individual systems, wall coverings, and special window coatings)
Legacy Systems
systems that are no longer supported by the OS maker and are no longer patched these systems should be considered to be updated if possible and if not, isolate it on a locked-down network segment w/ robust firewall rules for the support it needs
DoS attacks are separated in what two categories?
tactics that focus on wasting resources with an overwhelming volume of requests tactics that waste resources in much more targeted ways
Denial of Service (Network Threat)
targeted attack on a server that provides some form of service on the Internet with the goal of making that service unable to process any incoming requests.
Botnet
A logical computer network of zombies under the control of an attacker.
How does DHCP snooping work?
A system connected to an untrusted port starts sending DHCP server messages the DHCP snoop-capable switch will block that system, stopping all unauthorized DHCP traffic and sending some form of alarm to the appropriate person.
Network Threat
Any form of potential attack against your network. Common threats include, but not limited to: Spoofing, Packet/Protocol Abuse, Zero-Day Attacks, Rogue Devices, ARP Cache Poisoning, Denial of Service, On-Path Attack, Session Hijacking, Password Attacks, Physical/Local Access, Malware, and Social Engineering
Network Admission Control (NAC)
Ciscos version of Network Access Control
What protocols send credentials in cleartext that should not be used unless needed?
FTP, Telnet, POP3 also pops up in poor configuration of applications that would otherwise be well protected (turning on the "no security" setting)
How does ARP cache poisoning work?
If a bad actor can get inside the network, he can send false ARP frames that each computer reads, placing evil data into their ARP caches the bad actor pretends to be a router, switch, server, etc. bad actor can now use man-in-middle attacks
Distributed Denial of Service (DDoS) Attack
Many computers collaborate to shut down a target, usually by keeping it busy or overwhelming it with incoming requests.
Zombie (Bot)
Program activated on an infected machine that is activated to launch attacks on other machines under the control of an operator
Unintentional DoS Attack
Reddit Hug of Death / Slashdotting
What is a classic on-path/man-in-the-middle attack?
SSID spoofing: letting people connect to the rogue WAP controlled by the attacker
How are on-path/man-in-the-middle attacks mitigated these days?
TLS and certificate pinning
What protocols are insecure and do not provide encrypted channels that should not be used?
Telnet, HTTP, VNC, and basically any insecure protocol in the clear
RF Emanation
The transmission, intended or unintended, of radio frequencies. Transmissions may come from components that are intended to transmit RF (Wi-Fi card) or something less expected, such as a motherboard or keyboard These emanations may be detected and intercepted, posing a potential threat to security.
Implementing Dynamic ARP Inspection (DAI) and DHCP snooping enhances switch port protection.
True
Solution to port scanning and banner grabbing is to not run unnecessary services (resulting in an open port) on a host and to make sure that running processes have current security patches installed.
True
Using a firewall or ACL to block/filter ports can lead to a common network service issue such as blocked services, ports, or addresses.
True
Security and Maintenance
Windows 10 control panel tool that places an icon and pop up notification in the notification area whenever Windows detects a problem.
Integrity (CIA)
maintaining data and systems in a pristine, unaltered state when they are stored, transmitted, processed, and received, unless the alteration is intended due to normal processing maintained by the use of a variety of checks and other mechanisms, including hashing, data checksums, comparison with known or computed data values, and cryptographic means.
Replication (Virus)
makes copies of itself, often as code stored in boot sectors or as extra code added to the end of executable programs
Rootkit
malware taking advantage of very low-level system functions to both gain privileged access and hide from most anti-malware tools in operating systems, hypervisors, and even firmware
Reddit Hug of Death / Slashdotting
massive influx of traffic on a small or lesser-known Web site when it is suddenly made popular by a reference from the media
ARP Spoofing
message that links the attacker's MAC address to a legitimate network computer, client, or server
Separation of Duties
method in which a single user can't perform a task without direct involvement/observation by another party.
What two reasons make it important to not run any unnecessary services?
most OSs use services to listen on open TCP/UDP ports (closing unnecessary services closes TCP/UDP ports) services can be used as a tool for the use and propagation of malware
What is a method to avoid RF emanation?
place a filter between your systems and the emanated source.
What ports are easily susceptible to DoS attacks?
ports 20 and below
Spoofing (Network Threat)
pretending to be someone or something you are not by placing false information into your packets some flavors of spoofing are MAC spoofing, IP spoofing, ARP spoofing, e-mail address, web address, and username
What might be a technique a malicious user might use?
probe hosts to identify any open ports to learn details about running services known as banner grabbing
Shoulder Surfing (Social Engineering)
process of surreptitiously monitoring people when they are accessing any kind of system, trying to ascertain password, PIN codes, or personal information
Virus
program that has two jobs: to replicate and to activate not a stand-alone program only replicates to other applications on a drive or to other drives, such as flash drives or optical media
Scapy
program that lets you generate malformed packets and send them to anyone
Adware
program that monitors the types of frequently viewed Web sites and uses that information to generate targeted advertisements, usually pop-up windows
Vulnerability
refers to an IT-specific weakness, like a problem with hardware, software, or configuration. take steps to minimize risk which in effect minimizes vulnerability
Zero Trust
security philosophy that trust is never granted implicitly but must be continually evaluated means there is no "trusted" network where everyone connected is supposed to be connected, every device is malware free, and every resource is accessible
What are common symptoms of an malware-infected client?
sluggishness, random crashes, and an increase in network traffic
Low-and-Slow Attack (DoS)
small number of cleverly crafted packets sent to the the target keeping it busy for as long as possible
Persistent Agent
small scanning program that, once installed on the computer, stays installed and runs every time the computer boots up perform a thorough inventory of each security-oriented element in the computer
Deauthentication (Deauth) Attack (DoS)
targets 802.11 Wi-Fi networks specifically by sending out a frame that kicks a wireless client off its current WAP connection rogue WAP nearby often presents automatic alternative option for connection rogue WAP connects the client to the Internet and then proceeds to collect data from that client. attack targets a specific Wi-Fi frame called a deauthentication frame, normally used by a WAP to kick an unauthorized WAP off its network
Dynamic ARP Insepection (DAI)
technology in switches relies on ARP information that DHCP snooping collects—it's essentially a list of known-good IP and MAC addresses all traffic (ARP requests) go through the DAI-capable switch
Confidentiality (CIA)
the goal of keeping unauthorized people from accessing, seeing, reading, or interacting with systems and data achieved through various means, including the use of permissions to data, encryption, and so on.
Social Engineering (Network Threat)
the process of using or manipulating people inside the networking environment to gain access to that network from the outside classic form is the telephone scam
Internal Threats
threats posed by members of your organization
External Threats
threats posed by people and systems outside of our organizations
Physical/Local Access (Network Threat)
threats that lurk right in your LAN dangerous because these threats don't need to worry about getting past your network edge defenses such as firewalls or WAPs
Patch and Firmware Management
to disable unnecessary systems, to patch and upgrade software, and to upgrade firmware
Packet Abuse/Malformed Packets (Network Threat)
unwanted information injected into packets in an attempt to break another system
Posture Assessment Query
used in NAC to to verify that a node meets certain criteria before it is allowed to connect to a network.
Command and Control (C2) Protocols
used to automate server controls over botnets, thus limiting the need for people once the initial zombification happens
Malicious User
users with intent attempt to access, steal, or damage resources may be represented as an external or internal threat
Crypto-Malware
uses some form of encryption to lock a user out of a system usually encrypting the boot drive in most cases the malware then forces the user to pay money to get the system decrypted (crypto-ransomware)
Dictionary Attack (Password Attack)
using a list of known words and partial words along with a program as the starting point for cracking passwords
Activation (Virus)
when a virus does something like erase the boot sector of a drive
Reflection (DoS)
when an attacker sends requests to normal servers with the target's IP address spoofed as the source The normal servers respond to the spoofed address, overwhelming it with reflected traffic without identifying the true initiator often combined with amplification
Attack
when someone tries to compromise your organization or its systems also gets thrown around a lot to categorize different tactics, threats, and exploits
Explicit Deny (Firewall)
when the administrator has selected the Deny option for a permission for a user or group. This Deny takes precedence over all allowed settings.