Ch.9 - Network Risk Management
fundamental questions of considering security risks
"What is at risk?" and "What do I stand to lose if it is stolen, damaged, or eradicated?"
tips for making strong passwords
- Always change system default passwords after installing new software or equipment - Do not use familiar information, such as your name, nickname, birth date, anniversary, pet's name, child's name, spouse's name - Do not use any word that might appear in a dictionary, even an "urban" or "slang" dictionary. Hackers can use programs that try a combination of your user ID and every word in a dictionary to gain access to the network. This is known as a dictionary attack - Make the password longer than eight characters; prevents brute force attacks - Choose a combination of letters and numbers - Use a combination of uppercase and lowercase letters, preferably in a random pattern - use special characters if allowed - Do not use easily recognized phrases - Current research indicates that a long, random string of words are easier to remember, more secure, and takes longer to crack than a seemingly randomized series of letters, numbers, and symbols that is short enough for a human to remember. - Do not write down your password or share it with others - don't store passwords in a web browser - Change your password at least every 60 days or more frequently. - do not reuse passwords
measures to reduce social engineering and insider threat attacks
- Background checks for new hires and, where relevant, for contractors - Principle of least privilege, meaning employees and contractors are only given enough access and privileges to do their jobs, and these privileges are terminated as soon as the person no longer needs them - Checks and balances on employee behavior, such as scheduled access, mandatory vacations, and job rotations - DLP (data loss prevention): solution that identifies sensitive data on the network and prevents it from being copied, such as downloading to a flash drive, or transmitted off the network, such as emailing or posting to cloud storage
goals of a security policy
- Ensure that authorized users have appropriate access to the resources they need. - Prevent unauthorized users from gaining access to the network, systems, programs, or data. - Protect sensitive data from unauthorized access - Prevent accidental/intentional damage to hardware or software. - For each employee, obtain a signed consent to monitoring form, which is a document that ensures employees are made aware that their use of company equipment and accounts can be monitored and reviewed as needed for security purposes.
securing services and protocols
- Insecure services and protocols, such as Telnet and FTP, should be disabled in a system whenever possible. - Use secure protocols, such as SSH and SFTP, instead of insecure protocols, such as Telnet and FTP. - Disable any running services on a computer that are not needed. - Disable any running services on a computer that are not needed. - Disable unneeded connection technologies, such as Bluetooth, Wi-Fi, NFC, and IR.
administrative credentials
- Most devices that can be configured through a management interface come with a default access account. Often, the username, if there is one, is something like "admin." The password might be "password," "admin," or "1234." - When configuring a device, make it a habit to change the default administrative credentials before you do anything else, and record this information in a safe place. When you do so, avoid common usernames and passwords. - Be careful to configure secure usernames and passwords on all devices connected to any part of your network, even if the device itself seems to be an insignificant security threat - Many devices offer the option to configure several administrative accounts with varying levels of access. Additionally, user accounts on an enterprise's domain might be capable of accessing different features within a device's management interface.
reasons to use hashing for device hardening
- Passwords are often stored in hashed form to prevent them from being read even if they were to be accessed. Using a highly secure hash algorithm nearly guarantees that stolen passwords will be useless to the thief. - Entire files can also be hashed - Several hashing tools are available free online. One website, onlinemd5.com, lets you choose between three hashing algorithms: MD5 (an older, outdated hashing algorithm), SHA-1, and SHA-256 - You can also use the command line in Windows PowerShell, macOS Terminal, and Linux Terminal to hash an entire file.
resources to learn about newest malware and their characteristics
- Symantec's website - McAfee's Virus Information Library at home.mcafee.com/virusinfo/.
characteristics that make malware harder to detect and eliminate
- encryption: Some malware is encrypted to prevent detection. - stealth: Some malware disguises itself as legitimate programs or replaces part of a legitimate program's code with destructive code. - polymorphism: malware that changes its characteristics (such as the arrangement of bytes, size, and internal instructions) every time it's transferred to a new system, making it harder to identify. - time dependence: Some malware is programmed to activate on a particular date. This type of malware can remain dormant and harmless until its activation date arrives. Time-dependent malware can include logic bombs
where to install implemented anti-malware software
- host based: If you install anti-malware software on every desktop, you have addressed the most likely point of entry, but ignored the most important files that might be infected—those on the server. Host-based anti-malware also provides insufficient coverage when a significant portion of the network is virtualized. - server based: you will protect important files, but slow your network performance considerably. - network based: Securing the network's gateways, where the Internet connects with the interior network, can provide a formidable layer of defense against the primary source of intrusion—the Internet. However, this does nothing to prevent users from putting the network at risk with infected files on flash drives, laptops, or smartphones. - cloud based: provides the same kinds of benefits as other cloud-based solutions, such as scalability, cost efficiency, and shared resources. These cloud vendors are still working out bugs, and it can be a challenge to ensure that coverage soaks the entire network with no blind spots. Cloud solutions also increase the amount of Internet traffic in order to perform their duties.
security precautions for privileged user accounts
- limited use: These accounts should only be used when those higher privileges are necessary to accomplish a task. Even those employees who have a privileged user account should also have a lower-level account for normal activities - limited location: Many companies require the privileged user account be accessed only on location so that no one, not even a legitimate network administrator, can access the device remotely and make high-level changes. - limited duration: Privileged user accounts should be carefully accounted for and disabled as soon as they're not needed - limited access: The passwords for these accounts should be especially secure and difficult to crack. Passwords should also be stored securely, and when possible, multi-factor authentication should be required - limited privacy: A privileged user account can be used for destructive activity—whether malicious or not. For that reason, every user action in these accounts should be recorded and monitored by someone other than the owner of that account
process of managing and applying security patches
1. discovery: you investigate what's on your network, so that you can protect it. Good documentation will help indicate whether a newly discovered vulnerability and its patch applies to your network 2. standardization: Updating OS and application versions consistently across the network will simplify the change process for future updates. 3. layered security: refers to multiple defenses applied to a single network. For layered security to be effective, you need to understand how these various solutions interact, and look for any gaps in coverage. 4. vulnerability reporting: Identifying and prioritizing relevant security issues and patch releases is essential 5. implementation: includes validating, prioritizing, testing, and applying patches. Careful implementation is especially important with security patches. patch rollouts in phases, or tiers, requires formal change management processes. 6. assessment: evaluate the success of patch implementation and the overall effectiveness of the patch 7. risk mitigation: In some cases, it may not be possible to apply a patch where needed. To lessen the resulting risk, you should apply other layers of protection to the affected devices and applications.
social engineering attack cycle
1. research (most time consuming and important) 2. build trust: build familiarity by initially asking for seemingly benign information. As they gather more data, they use these tidbits to build trust and gain access to more private information. 3. exploit: point of action on the part of the victim that gives the attacker the access he desires. 4. exit: the attacker executes an exit strategy in such a way that does not leave evidence or raise suspicion
rogue DHCP server
A DHCP service running on a client device that could be used to implement a MitM attack by configuring the attacker's IP address as the victim computers' default gateway or DNS server. - Default trust relationships between one network device and another might allow a hacker to access the entire network because of a single flaw. For example, DHCP messages are allowed to flow freely through ports on switches so that clients can request and receive DHCP assignments. -
DRDoS (distributed reflection DoS) attack
A DoS attack bounced off of uninfected computers, called reflectors, before being directed at the target. - achieved by spoofing the source IP address in the attack to make it look like all the requests for response are being sent by the target, then all the reflectors send their responses to the target, thereby flooding the target with traffic
asset tracking tag
A barcode or wireless-enabled transmitter used to track the movement or condition of equipment, inventory, or people. - Whether a simple barcode or a wireless-enabled transmitter, such as the RFID label, enables constant or periodic collection of information. This data is then reported to a central management application for monitoring, logging, and reporting. - As wireless technologies have improved, these asset tracking systems have grown beyond Wi-Fi-dependent systems, which tend to be expensive and require frequent battery replacement for each asset being tracked. - Today, these systems often use Bluetooth, RFID (such as NFC), cellular, and GPS wireless technologies - are sometimes also combined with cloud technology, to provide deeper insights through data analytics, and with IoT technology, to increase the security of IoT networks.
honeypot
A decoy system isolated from legitimate systems and designed to be vulnerable to security exploits for the purposes of learning more about hacking techniques or nabbing a hacker in the act. - To lure hackers, the system might be given an enticing name, such as one that indicates a name server or a storage location for confidential data. Once hackers access it, a network administrator can use monitoring software and logs to track the intruder's moves - To fool hackers and gain useful information, it cannot appear too blatantly insecure, and tracking mechanisms must be hidden - must be isolated from secure systems to prevent a savvy hacker from using it as an intermediate host for other attacks - can provide unique information about hacking behavior and, if configured well, are low maintenance sources of information with few false positives
key fob
A device or app that provides remote control over locks and security systems -
security policy
A document or plan that identifies an organization's security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for each team member, and responsibilities for each employee. In addition, it specifies how to address security breaches. - should NOT state exactly which hardware, software, architecture, or protocols will be used to ensure security, nor how hardware or software will be installed and configured. - Password guidelines should be clearly communicated to everyone in your organization through this
PUA (privileged user agreement)
A document that addresses the specific concerns related to privileged access given to administrators and certain support staff. - For example, a doctor who has access to HIPAA-protected patient information must sign this which defines what he can and can't do with that patient data, and what special precautions he must take to protect the patient's privacy. - Certain checks and balances must also be maintained and defined - outlines guidelines, rules, restrictions, and consequences of violations, all of which help minimize the risk involved in allowing privileged access to some users.
badge
A form of identification that includes the person's name and perhaps a photo, title, or other information.
SHA (Secure Hash Algorithm)
A hash algorithm originally designed by the NSA to eliminate the inherent weaknesses of the older MD5 hash. The most recent iteration is SHA-3, developed by private designers for a public competition in 2012. - The most commonly used hashing algorithm today (2020) - primary advantage of this over older hashing algorithms is its resistance to collisions. A collision is when two different data sources result in the same hash. - A prevalence of collisions from a hashing algorithm essentially defeats the purpose of hashing. However, the added security to avoid collisions means the hashing process takes longer than with less secure options. - SHA-2 and SHA-3 are often implemented together for increased security. It's also common for data to be hashed in multiple passes, along with encryption passes layered in to the process.
logic bomb
A malicious program designed to start when certain conditions are met.
honeynet
A network of honeypots.
cipher lock
A physical or electronic lock requiring a code to open the door. - physical or electronic locks that require a code to open the door, which can reduce the inherent risk of lost keys. - changing the code regularly can also help increase security. - are not designed solely for physical security, such as on an outside door, so much as for the purpose of controlling access to an area, such as an indoor data room, by logging who comes and goes, enabling or disabling unescorted entry, scheduling open access times, and even responding to access made under duress
phishing
A practice in which a person attempts to gain access to authentication information by posing as someone who needs that information. - An electronic communication that appears to come from a legitimate person or organization and requests access or authentication information.
penetration testing
A process of scanning a network for vulnerabilities and investigating potential security flaws. - This attack simulation uses various tools to find network vulnerabilities, as in vulnerability scanning, and then attempts to exploit those vulnerabilities.
malware
A program or piece of code designed to intrude upon or harm a system or its resources. - Included in this category are viruses, Trojan horses, worms, bots, and ransomware.
ransomware
A program that locks a user's data or computer system until a ransom is paid. - In most cases, the infection encrypts data on the computer, and can also encrypt data on backup devices, removable storage devices, and even cloud storage accounts connected to the computer, such as Dropbox or OneDrive. - Currently, the only mostly reliable defense is to make manual backups of data on a regular basis and disconnect the backup media from the computer between backups.
virus
A program that replicates itself to infect more computers, either through network connections when it piggybacks on other files or through exchange of external storage devices, such as USB drives, passed among users. might damage files or systems or simply annoy users by flashing messages or pictures on the screen, for example.
DHCP snooping
A security feature on switches whereby DHCP messages on the network are checked and filtered. - in which any switch ports connected to clients are not allowed to transmit DHCP messages that should only come from a trusted DHCP server.
principle of least privilege
A security measure that ensures employees and contractors are only given enough access and privileges to do their jobs, and these privileges are terminated as soon as the person no longer needs them.
insider threat
A security risk associated with someone who is or was trusted by an organization, such as an employee, former employee, contractor, or other associate (insider) - Sometimes trusted people have or develop malicious intent - pose a particularly high risk to an organization due to their knowledge of the company's systems, procedures, and layers of security.
DLP (data loss prevention)
A security technique that uses software to monitor confidential data, track data access and ownership, and prevent it from being copied or transmitted off the network. - solution that identifies sensitive data on the network and prevents it from being copied, such as downloading to a flash drive, or transmitted off the network, such as emailing or posting to cloud storage
back door
A software security flaw that can allow unauthorized users to gain access to a system. - Unless the network administrator performs regular updates, a hacker might exploit these flaws. Legacy systems are particularly notorious for leaving these kinds of gaps in a network's overall security net.
dictionary attack
A technique in which attackers run a program that tries a combination of a known user ID and, for a password, every word in a dictionary to attempt to gain access to a network.
vulnerability scanning
A technique to identify vulnerabilities in a network, with or without malicious intent. - often performed by a company's own staff, and does not attempt to exploit any vulnerabilities - two types: 1. authenticated—In this case, the attacker is given the same access to the network as a trusted user would have, such as an employee 2. unauthenticated—In this case, the attacker begins on the perimeter of the network, looking for vulnerabilities that do not require trusted user privileges.
CCTV (closed-circuit TV)
A video surveillance system that monitors activity in secured areas. - IP cameras can be placed in data centers, computer rooms, data rooms, and data storage areas, as well as facility entrances. - cameras might run continuously, or they might be equipped with motion detectors to start recording when movement occurs within their viewing area.
vulnerability
A weakness of a system, process, or architecture that could lead to compromised information or unauthorized access to a network
privileged user account
An administrative account on a device or network that gives high-level permissions to change configurations or access data. - most privileged account type for user on enterprise domain
security audit
An assessment of an organization's security vulnerabilities performed by an accredited network security firm.
posture assessment
An assessment of an organization's security vulnerabilities. - a thorough examination of each aspect of the network to determine how it might be compromised - The more devastating a threat's effects and the more likely it is to happen, the more rigorously your security measures should address it. - should be performed at least annually and preferably quarterly. They should also be performed after making any significant changes to the network - If your IT Department has sufficient skills and time for routine posture assessments, they can be performed in-house. A qualified consulting company can also assess the security of your network. - If the company is accredited by an agency that sets network security standards, the assessment qualifies as a security audit.
DoS (denial-of-service) attack
An attack in which a legitimate user is unable to access normal network resources because of an attacker's intervention. Most often, this type of attack is achieved by flooding a system with so many requests for services that it can't respond to any of them. - As a result, all data transmissions are disrupted - relatively simple attack to launch (for example, a hacker could create a looping program that sends thousands of email messages to your system per minute) - can also result from malfunctioning software - many subtypes - comes from one or a few sources owned by the attacker
FTP bounce
An attack in which an FTP client specifies a different host's IP address and port for the requested data's destination. By commanding the FTP server to connect to a different computer, a hacker can scan the ports on other hosts and transmit malicious code. - FTP is notorious for its vulnerabilities - When a client running an FTP utility requests data from an FTP server, the client normally specifies its own IP address and FTP's default port number. However, it is possible for the client to specify any port on any host's IP address. -To thwart this, most modern FTP servers will not issue data to hosts other than the client that originated the request.
ARP poisoning
An attack in which attackers use fake ARP replies to alter ARP tables in a network. - ARP works in conjunction with IPv4 to discover the MAC address of a node on the local network. This information is stored in a database called the ARP table or ARP cache, which maps IP addresses to MAC addresses on the LAN. - However, ARP performs no authentication, and so is highly vulnerable to attack. - contribute to the feasibility of several other exploits, including DoS (denial-of-service) attacks, MitM (man-in-the-middle) attacks, and MAC flooding. MAC flooding involves overloading a switch with ARP replies.
DDoS (distributed DoS) attack
An attack in which multiple hosts simultaneously flood a target host with traffic, rendering the target unable to function. - orchestrated through many sources - Most of these machines are zombies, which means the owners are unaware that their computers are being used in the coordinated attack - Malware, called a bot, is installed on each machine and gives the bot herder, or central controller, remote control of the computer. - people don't realize their computing resources are also a target. Computers can be requisitioned as part of a botnet, also called a zombie army, in coordinated attacks without the owners' knowledge or consent - much more difficult to defend against than an attack from a single source - Effective firewalls can greatly reduce the chances of a computer being drafted into illegal botnets.
amplified DRDoS attack
An attack instigated using small, simple requests that trigger very large responses from the target. DNS, NTP, ICMP, LDAP, and SNMP lend themselves to being used in these kinds of attacks.
PDoS (permanent DoS) attack
An attack on a device that attempts to alter the device's management interface to the point where the device is irreparable. -attack damages a device's firmware beyond repair. This is called "bricking" the device because it effectively turns the device into a brick. - attack damages a device's firmware beyond repair. This is called "bricking" the device because it effectively turns the device into a brick.
deauth (deauthentication) attack
An attack on a wireless network in which the attacker sends faked deauthentication frames to the AP, the client, or both (or as a broadcast to the whole wireless network) to trigger the deauthentication process and knock one or more clients off the wireless network. - When a Wi-Fi client is legitimately connected to a wireless access point, the AP or the client can send a deauthentication frame to tell the other device that the authentication session is being terminated. This can happen for any number of reasons, including inactivity, the client is leaving the area, the AP is overwhelmed with too many clients, or an unspecified reason - is essentially a Wi-Fi DoS attack in that valid users are prevented from having normal access to the network. At minimum, it can be a frustrating experience for users. In the hands of a skilled attacker, further information can be collected for more destructive attacks, such as a MitM attack.
DNS poisoning
An attack that alters DNS records on a DNS server, thereby redirecting Internet traffic from a legitimate web server to a phishing website. - also known as DNS spoofing - Because of the way DNS servers share their cached entries, poisoned DNS records can spread rapidly to other DNS servers, ISPs, home and business networks, and individual computers. - one way China maintains the "Great Firewall"
MitM (man-in-the-middle) attack
An attack that relies on intercepted transmissions. It can take one of several forms, but in all cases a person redirects or captures secure data traffic while in transit. - a person redirects and captures secure transmissions as they occur.
zero-day exploit
An attack that takes advantage of a software vulnerability that hasn't yet or has only very recently become public. - are particularly dangerous because the vulnerability is exploited before the software developer has the opportunity to provide a solution for it or before the user applies the published solution
smart card
An electronic access badge. - when swiped through a reader, the door unlocks and the person's access to the secured area is time stamped and logged in a database. These badges can be programmed to allow their owner access to some, but not all, rooms in a building
human error
By some estimates, human errors, ignorance, and omissions cause more than half of all security breaches sustained by networks. - Human error accounts for so many security breaches because taking advantage of people is often an easy way to circumvent network security. End-user awareness and training can be a monumental task that requires regular attention and due diligence. Ultimately, it is the company's responsibility to ensure that its employees adhere to applicable standards and policies.
insecure protocols and services
Certain TCP/IP protocols are inherently insecure. For example, IP addresses can be falsified, checksums can be thwarted, UDP requires no authentication, and TCP requires only weak authentication. FTP is notorious for its vulnerabilities - Other insecure protocols include HTTP (use HTTPS with SSL/TLS instead), Telnet (use along with IPsec), SLIP (use PPP instead), TFTP (use SFTP instead), SNMPv1, and SNMPv2 (use SNMPv3 instead).
white hat hacker
IT security experts hired by organizations to assess their security and risks. They're sometimes called ethical hackers. - Their goal is to identify security vulnerabilities of all kinds so the organization can make changes to increase their security. The extent of their efforts is usually clearly defined in a written contract before they begin their testing, and their activities are limited by existing laws and restrictions. - At no point is private data compromised outside of that trusted relationship.
exploit
In the context of network security, the act of taking advantage of a vulnerability.
accumulated risk of network security exploits
None of the risks exploits pose stand alone. Any risk can open the door to further exploitation
note about firmware updates
On the job, be sure to research firmware upgrades thoroughly before deciding whether to implement them. If at all possible, perform the firmware upgrade locally rather than remotely. And be prepared to troubleshoot unexpected problems after the upgrade.
device hardening
Preventive measures that can be taken to secure a device from network- or software-supported attacks. -
note about managing remote access connections
Recall that many devices are managed through remote access connections, the most common of which is SSH. Also recall that SSH keys can be used to authenticate devices making the remote connection. - Over long-distance connections, using SSH keys is more secure than using passwords because a securely encrypted key is more difficult to crack than a password. However, just like usernames and passwords, these authentication credentials should be changed from the provider's default settings - To do this, first remove the existing keys with the rm command. Then generate a new key pair with the ssh-keygen command
tamper detection
Sensors that can detect physical penetration, temperature extremes, input voltage variations, input frequency variations, or certain kinds of radiation. - put on things like utility meters, parking meters, entry doors, ATMs, network cables, and even security cameras - might trigger defensive measures such as an alarm or shutdown, or it might activate a video camera or other security system - can also be a sticker or latch that when damaged informs you that device was tampered with
MDM (mobile device management)
Software that automatically handles the process of configuring wireless clients for network access (on boarding). - Part of a BYOD policy might include on-boarding and off-boarding procedures. Recall that the process of configuring wireless clients for network access is called on-boarding - works with all common mobile platforms and their service providers, and can add or remove devices remotely. -can automate enrollment, enforce password policies and other security restrictions, encrypt data on the device, sync data across corporate devices, wipe the device, and monitor the device's location and communications.
port scanner
Software that searches a server, switch, router, or other device for open ports, which can be vulnerable to attack.
motion detection
Technology that triggers an alarm when it detects movement within its field of view. - can discern between different types of motion, such as small animals, blowing plants, or walking humans, to reduce false alarms. - might be configured to record date and time of motion detection, or trigger lights, alarms, or video cameras.
social engineering
The act of manipulating social relationships to circumvent network security measures and gain access to a system. - common types include: - phishing - baiting - quid pro quo - tailgating
NDA (non-disclosure agreement)
The part of a security policy that defines what confidential and private means to the organization. - In general, information is confidential if it could be used by other parties to impair an organization's functioning, decrease customers' confidence, cause a financial loss, damage an organization's status, or give a significant advantage to a competitor. - Any information covered by this might also be protected from international export.
AUP (acceptable use policy)
The portion of a security policy that explains to users what they can and cannot do while accessing a network's resources, and penalties for violations. It might also describe how these measures protect the network's security. - Don't do anything illegal. - Don't try to circumvent network security restrictions. - Don't violate the rights of any person or organization. - Don't forward spam email. - Don't violate copyright, trade secret, patent, intellectual property, or other regulations. - etc. - International and regional export controls limit what software, data, technology, and devices can cross certain political boundaries. you might need an export license to travel internationally with encrypted data, and some countries might require that you decrypt data before entering the country
BYOD (bring your own device)
The practice of allowing people to bring their smartphones, laptops, or other technology into a facility for the purpose of performing work or school responsibilities. - organizations need to detail what is allowed and what isn't, what reimbursements or allowances the company might offer, what restrictions will keep the organization's data and networks safe, and what configurations to the device are needed in order to comply with the policy. - can be cheaper for organizations to implement and tend to improve efficiency and morale for employees and students. However, security and legal compliance concerns must be sufficiently addressed - variations include: - BYOA (bring your own application) - BYOC (bring your own cloud) - CYOD (choose your own device)
hashing
The transformation of data through an algorithm that generally reduces the amount of space needed for the data. is mostly used to ensure data integrity—that is, to verify the data has not been altered. - not the same thing as encryption, though it's often listed as a type of encryption and does, in a similar manner, transform data from one format to another. - Encrypted data can be decrypted, but this data cannot. - If a secure algorithm is used, this is nearly impossible to reverse
hacker
Traditionally, a person who masters the inner workings of computer hardware and software in an effort to better understand them. More generally, an individual who gains unauthorized access to systems or networks with or without malicious intent. - might also refer to finding a creative way around a problem, increasing functionality of a device or program, or otherwise manipulating resources beyond their original design - categorized according to their intent and the prior approval of the organizations whose networks they're utilizing
data breach
Unauthorized access or use of sensitive data.
biometrics
Unique physical characteristics of an individual, such as the color patterns in his iris or the geometry of his hand. - A more expensive physical security solution involves biorecognition access, in which a device scans an individual's unique physical characteristics A more expensive physical security solution involves biorecognition access, in which a device scans an individual's unique physical characteristics
updates and security patches
Updates to applications, operating systems, and device firmware address several issues, including fixing bugs, adding new features, and closing security gaps - Because of the urgency of protecting networks and data from being compromised, security gaps are often addressed in smaller, more frequent updates called patches.
spoofing
attack based on risk inherent in network hardware and design - MAC addresses can be impersonated - impersonating IP addresses, which can result in DoS (denial of service) attacks or modified DNS messages
proximity card
badge or key card which does not require direct contact with a proximity reader in order to be detected. - In fact, a reader can be concealed inside a wall or other enclosure and requires very little maintenance. With a typical range of about 5-10 cm, the card can be detected even while it's still inside a wallet or purse
one of the easiest and least expensive ways to guard against unauthorized access
choose a secure password
how do you configure DHCP snooping?
configured on a switch using the "ip dhcp snooping" command.
most important defense against social engineering attacks
employee training, along with frequent reminders and tips regarding the latest scams
black hat hacker
groups or individuals use their skills to bypass security systems to cause damage, steal data, or compromise privacy. - They're not concerned with legal restrictions, and are intent on achieving personal gain or executing a personal agenda against an individual or an organization
gray hat hacker
hackers that abide by a code of ethics all their own. - Although they might engage in illegal activity, their intent is to educate and assist. - For example, a computer hobbyist who hacks a local business's weak Wi-Fi password, and then reports that weakness to the business owners without damaging or stealing the company's data - are vulnerable to legal prosecution, and therefore often go to a great deal of effort to remain anonymous.
Nessus
network scanning tool Developed by Tenable Security (tenable.com) - performs even more sophisticated vulnerability scans than Nmap - can identify unencrypted, sensitive data, such as credit card numbers, saved on your network's hosts. The program can run on your network or from off-site servers continuously maintained and updated by the developer.
red team - blue team exercise
network security scanning tool - During this exercise, the red team conducts the attack, and the blue team attempts to defend the network. Usually the red team is a hired attacker, such as a consultant or security organization, and the blue team is the company's own IT, security, and other staff. In some cases, the blue team has no warning of the impending attack in order to better evaluate day-to-day defenses - red team relies heavily on social engineering to attempt to access the company's private data, accounts, or systems without getting caught. - The company's detection and response to the attack is the primary focus
most important way to ensure physical security
plan for it - Which rooms contain critical systems or data and must be secured? - Through what means might intruders gain access to the facility, computer room, data room, network closet, or data storage areas - How and to what extent are authorized personnel granted entry? - Are employees instructed on how to ensure security after entering or leaving secured areas
metasploit
popular penetration testing tool combines known scanning and exploit techniques to explore potentially new attack routes. - also employs Nmap, Telnet, FTP, and UDP probes.
anti-malware policy
provides rules for using anti-malware software, as well as policies for installing programs, sharing files, and using external storage such as flash drives. To be most effective, it should be authorized and supported by the organization's management. - Every computer in an organization should be equipped with malware detection and cleaning software that regularly scans for malware. This software should be centrally distributed and updated - Users should know what to do in case their anti-malware program detects malware. - An anti-malware team should be appointed to focus on maintaining the anti-malware measures. - Users should be prohibited from installing any unauthorized software on their systems.
Nmap
scanning tool with its GUI Zenmap designed to scan large networks quickly and provide information about a network and its hosts - began as a simple port scanner, which is an application that searches a device for open ports indicating which insecure service might be used to craft an attack
to increase acceptance of security policy
tie security measures to business needs and clearly communicate the potential effects of security breaches - A security policy must address an organization's specific risks. To understand your risks, you should conduct a posture assessment that identifies vulnerabilities and rates both the severity of each threat and its likelihood of occurring
worm
type of malware - A program that runs independently of other software and travels between computers and across networks. They may be transmitted by any type of file transfer, including email attachments. - do not alter other programs in the same way that viruses do, but they can carry viruses.
Bot (short for "robot")
type of malware - A process that runs automatically, without requiring a person to start or stop it. - can be beneficial or malicious - Especially when used for ill intent, it does not require user interaction to run or propagate itself. Instead, it connects to a central server (called a command-and-control server, or C&C server) which then commands an entire botnet of similarly infected devices. - can be used to damage or destroy a computer's data or system files, issue objectionable content, launch DoS attacks, or open back doors for further infestation - especially difficult to contain because of their fast, surreptitious, and distributed dissemination.
trojan horse
type of malware - A program that disguises itself as something useful but actually harms your system; named after the famous wooden horse in which soldiers were hidden. - Because they do not replicate themselves, they are not considered viruses.
quid pro quo
type of social engineering - A free gift or service is offered in exchange for private information or "temporary" access to the user's computer system.
baiting
type of social engineering - A malware-infected file, such as a free music download, or device, such as a USB flash drive, is seemingly left unguarded for someone to take and attempt to use on their own computer. The malware then infects the computer and gives the attacker access to the victim's computer, data, or online accounts.
tailgating
type of social engineering - A person posing as an employee or a delivery or service provider follows an authorized employee into a restricted area. For example, a delivery person carrying a large box might ask someone to "hold the door," which gives this person access through an otherwise secure door. A friendly sounding conversation with an employee as they walk into a building might get an intruder past the front desk security.
friendly DoS attack
unintentional DoS attack, or friendly attack, which is NOT done with malicious intent. - An example might be when a website is flooded with an unexpectedly high amount of shopping traffic during a flash sale
when is data at its most vulnerable?
when it is accessed, stored, or otherwise manipulated in its unencrypted form (called endpoint vulnerability)