ITNW Ch 9 Security

Distributed Reflective Denial of Service (DRDoS)

A DRDoS attack (or distributed reflective DoS attack) is a DDoS attack bounced off of uninfected computers, called reflectors, before being directed at the target. This is achieved by spoofing the source IP address in the attack to make it look like all the requests for response are being sent by the target, then all the reflectors send their responses to the target, thereby flooding the target with traffic

Asset tracking tags

A barcode or wireless-enabled transmitter used to track the movement or condition of equipment, inventory, or people.

security policy

A document or plan that identifies an organization's security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for each team member, and responsibilities for each employee. In addition, it specifies how to address security breaches.

Privileged User Agreement (PUA)

A document that addresses the specific concerns related to privileged access given to administrators and certain support staff. in many cases, activity in privileged accounts will be specially monitored through a PAM (privileged account management) tool, such as BeyondTrust's PowerBroker (beyondtrust.com) or CyberArk's Privileged Account Security Solution (cyberark.com).

Secure Hash Algorithm (SHA)

A hash algorithm originally designed by the NSA to eliminate the inherent weaknesses of the older MD5 hash. The most recent iteration is SHA-3, developed by private designers for a public competition in 2012. SHA-2—Also designed by the NSA, SHA-2 supports a variety of hash sizes, the most popular of which are SHA-256 (with a 256-bit hash) and SHA-512 (with a 512-bit hash). Note that the 2 in SHA-2 refers to the version number, whereas the larger numbers in SHA-256 and SHA-512 refer to the length of the hash functions. SHA-3—The most recent iteration of SHA, SHA-3 was developed by private designers for a public competition in 2012. SHA-3 is very different in design from SHA-2, even though it uses the same 256- and 512-bit hash lengths.

DHCP snooping

A security feature on switches whereby DHCP messages on the network are checked and filtered. The attacker could give her IP address as the DNS server and then spoof websites. DHCP messages should be monitored by a security feature on switches called DHCP snooping, in which any switch ports connected to clients are not allowed to transmit DHCP messages that should only come from a trusted DHCP server

CCTV (closed-circuit TV)

A video surveillance system that monitors activity in secured areas.

security audit

An assessment of an organization's security vulnerabilities performed by an accredited network security firm.

posture assessment

An assessment of an organization's security vulnerabilities.

Amplified Distributed Reflective Denial of Service

An attack instigated using small, simple requests that trigger very large responses from the target. DNS, NTP, ICMP, LDAP, and SNMP lend themselves to being used in these kinds of attacks.

phishing

An electronic communication that appears to come from a legitimate person or organization and requests access or authentication information. For example, a hacker might send an email asking you to submit your username and password to a website whose link is provided in the message, claiming that it's necessary to verify your account with a particular online retailer. Phishing emails are extremely effective, especially the more sophisticated ones. When well-executed, these emails can trick even a savvy IT security professional.

DNS poisoning, or DNS spoofing

By altering DNS records on a DNS server, an attacker can redirect Internet traffic from a legitimate web server to a phishing website, which is called DNS poisoning or DNS spoofing. Because of the way DNS servers share their cached entries, poisoned DNS records can spread rapidly to other DNS servers, ISPs, home and business networks, and individual computers.

insecure protocols and services

Certain TCP/IP protocols are inherently insecure. For example, IP addresses can be falsified, checksums can be thwarted, UDP requires no authentication, and TCP requires only weak authentication. FTP is notorious for its vulnerabilities. In a well-known exploit, FTP bounce, hackers take advantage of this insecure protocol. When a client running an FTP utility requests data from an FTP server, the client normally specifies its own IP address and FTP's default port number. However, it is possible for the client to specify any port on any host's IP address. By commanding the FTP server to connect to a different computer, a hacker can scan the ports on other hosts and transmit malicious code. To thwart FTP bounce attacks, most modern FTP servers will not issue data to hosts other than the client that originated the request. Other insecure protocols include HTTP (use HTTPS with SSL/TLS instead), Telnet (use along with IPsec), SLIP (use PPP instead), TFTP (use SFTP instead), SNMPv1, and SNMPv2 (use SNMPv3 instead).

Distributed Denial of Service (DDoS)

DDoS attacks are orchestrated through many sources. Most of these machines are zombies, which means the owners are unaware that their computers are being used in the coordinated attack. Malware, called a bot, is installed on each machine and gives the bot herder, or central controller, remote control of the computer. Many people believe their computers are not at high risk of security compromise because they don't keep valuable information on the computer. They don't realize their computing resources are also a target. Computers can be requisitioned as part of a botnet, also called a zombie army, in coordinated DDoS attacks without the owners' knowledge or consent, and these botnets are sometimes made available for hire on the black market. The traffic spike caused by so many attackers is much more difficult to defend against than an attack from a single source. Effective firewalls can greatly reduce the chances of a computer being drafted into illegal botnets.

A spoofed DNS record spreads to other DNS servers. What is this attack called?

DNS poisoning

Which type of DoS attack orchestrates an attack using uninfected computers?

DRDoS (Distributed Reflection DoS) attack

Which of these attacks is a form of Wi-Fi DoS attack?

Deauthentication attack

Rogue DHCP Server

Default trust relationships between one network device and another might allow a hacker to access the entire network because of a single flaw. For example, DHCP messages are allowed to flow freely through ports on switches so that clients can request and receive DHCP assignments. A rogue DHCP server running on a client device, however, could be used to implement a MitM attack by configuring the attacker's IP address as the victim computers' default gateway. Alternatively, the attacker could give her IP address as the DNS server and then spoof websites.

Nessus

Developed by Tenable Security (tenable.com), Nessus performs even more sophisticated vulnerability scans than Nmap. Among other things, Nessus can identify unencrypted, sensitive data, such as credit card numbers, saved on your network's hosts. The program can run on your network or from off-site servers continuously maintained and updated by the developer.

Honeypot softwares

Honeypot software options include KFSensor (keyfocus.net), Canary (canary.tools), and Honeyd (honeyd.org).

A former employee discovers six months after he starts work at a new company that his account credentials still give him access to his old company's servers. He demonstrates his access to several friends to brag about his cleverness and talk badly about the company. What kind of attack is this?

Insider threat

Leading up to the year 2000, many people expected computer systems the world over to fail when clocks turned the date to January 1, 2000. What type of threat was this?

Logic bomb

A company wants to have its employees sign a document that details some project-related information that should not be discussed outside the project's team members. What type of document should they use?

NDA

What kind of attack simulation detects vulnerabilities and attempts to exploit them?

Penetration testing

A company accidentally sends a newsletter with a mistyped website address. The address points to a website that has been spoofed by hackers to collect information from people who make the same typo. What kind of attack is this?

Phishing

Your organization has just approved a special budget for a network security upgrade. What procedure should you conduct to make recommendations for the upgrade priorities?

Posture assessment

device hardening

Preventive measures that can be taken to secure a device from network- or software-supported attacks.

Which of the following is considered a secure protocol?

SSH

Tamper detection

Sensors that can detect physical penetration, temperature extremes, input voltage variations, input frequency variations, or certain kinds of radiation.

ARP poisoning

Similar to DNS caches, ARP tables can be altered. ARP works in conjunction with IPv4 to discover the MAC address of a node on the local network. This information is stored in a database called the ARP table or ARP cache, which maps IP addresses to MAC addresses on the LAN. However, ARP performs no authentication, and so is highly vulnerable to attack. When attackers use faked ARP replies to alter ARP tables in the network, the attack is called ARP poisoning, or ARP spoofing. ARP vulnerabilities contribute to the feasibility of several other exploits, including DoS (denial-of-service) attacks, MitM (man-in-the-middle) attacks, which is described next, and MAC flooding. MAC flooding involves overloading a switch with ARP replies.

Mobile Device Management (MDM)

Software that automatically handles the process of configuring wireless clients for network access. Examples of MDM software include VMware's AirWatch (air-watch.com) and Cisco's Meraki Systems Manager (meraki.cisco.com). The best MDM packages include granular control over these options. For example, an administrator might configure the software to remove corporate data from all devices while leaving personal data untouched. A less intrusive option is MAM (mobile application management), which targets specific apps on a device rather than controlling the entire device.

Acceptable Use Policy (AUP)

The portion of a security policy that explains to users what they can and cannot do while accessing a network's resources, and penalties for violations. It might also describe how these measures protect the network's security.

Nmap

The scanning tool Nmap and its GUI version Zenmap are designed to scan large networks quickly and provide information about a network and its hosts. Nmap began as a simple port scanner, which is an application that searches a device for open ports indicating which insecure service might be used to craft an attack. For example, if a server's port 23 is open, Telnet can be used to remote into the target device and take control of it. Developers later expanded Nmap's capabilities to include gathering information about hosts and their software. When running Nmap, you can choose what type of information to discover, thereby customizing your scan results.

Hashing

The transformation of data through an algorithm that generally reduces the amount of space needed for the data. Hashing is mostly used to ensure data integrity—that is, to verify the data has not been altered.

Metasploit

This popular penetration testing tool combines known scanning and exploit techniques to explore potentially new attack routes.

vulnerability scanning

This technique is used to identify vulnerabilities in a network. It's often performed by a company's own staff, and does not attempt to exploit any vulnerabilities. Vulnerability scanning might also be the first step in other attack simulations or in a real attack. During attack simulations, there are two types of vulnerability scans: authenticated—In this case, the attacker is given the same access to the network as a trusted user would have, such as an employee or an intruder who has somehow hacked into a user's account. unauthenticated—In this case, the attacker begins on the perimeter of the network, looking for vulnerabilities that do not require trusted user privileges.

deauth (deauthentication) attack

When a Wi-Fi client is legitimately connected to a wireless access point, the AP or the client can send a deauthentication frame to tell the other device that the authentication session is being terminated. This can happen for any number of reasons, including inactivity, the client is leaving the area, the AP is overwhelmed with too many clients, or an unspecified reason. These frames are unencrypted and are easily spoofed. In a deauth (deauthentication) attack, the attacker sends these faked deauthentication frames to the AP, the client, or both (or as a broadcast to the whole wireless network) to trigger the deauthentication process and knock one or more clients off the wireless network. This is essentially a Wi-Fi DoS attack in that valid users are prevented from having normal access to the network.

Implementing antimalware

host-based—If you install anti-malware software on every desktop, you have addressed the most likely point of entry, but ignored the most important files that might be infected—those on the server. Host-based anti-malware also provides insufficient coverage when a significant portion of the network is virtualized. server-based—If the anti-malware software resides on the server and checks every file and transaction, you will protect important files, but slow your network performance considerably. network-based—Securing the network's gateways, where the Internet connects with the interior network, can provide a formidable layer of defense against the primary source of intrusion—the Internet. However, this does nothing to prevent users from putting the network at risk with infected files on flash drives, laptops, or smartphones. cloud-based—Many anti-malware solutions already employ cloud-based resources within their programming. And cloud-based anti-malware provides the same kinds of benefits as other cloud-based solutions, such as scalability, cost efficiency, and shared resources. These cloud vendors are still working out bugs, and it can be a challenge to ensure that coverage soaks the entire network with no blind spots. Cloud solutions also increase the amount of Internet traffic in order to perform their duties.

Denial of Service (DoS)

occurs when a legitimate user is unable to access normal network resources, such as a web server, because of an attacker's intervention. Most often, this type of attack is achieved by flooding a system with so many requests for services that it can't respond to any of them

Man-in-the-Middle Attack (MITM)

relies on intercepted transmissions and can take several forms. In all these forms, a person redirects and captures secure transmissions as they occur. For example, in the case of an evil twin attack, which is a type of MitM attack, a hacker could intercept transmissions between clients and a rogue access point. Through these captured transmissions, the attacker can learn users' passwords or even supply users with a phony website that looks valid but presents clickable options capable of harming their systems.