Network security quiz questions

Explain 4-way handshake in pairwise key distribution

(STAtion): • A client device in an 802.11 (Wi-Fi) wireless network such as a computer, laptop or smartphone. PMK: • Pairwise Master Key PTK: • Pairwise Transient Key Nonce: • random number used only once • nonce ensures that the PTK is fresh and there is no man-in-the-middle The 4-way handshake is used by the STA and AP use this handshake to confirm the existence of the PMK, verify the selection of the cipher suite, and derive a fresh PTK for the following data session. Message 1: AP --> STA • includes the MAC address of the AP and a nonce (Anonce) so that STA can generate the PTK Message 2: STA --> AP • The STA generates its own nonce (Snonce) and uses both nonces and both MAC addresses, plus the PMK, to generate a PTK. • The STA then sends a message containing its MAC address and Snonce, enabling the AP to generate the same PTK. • This message includes a message integrity code (MIC). • This message demonstrates to the AP that: - the STA is alive - the PTK is new - there is no man-in-the-middle Message 3: • The AP is now able to generate the PTK. • The AP then sends a message to the STA, containing the same information as in the first message, but this time including a MIC. • This message demonstrates to the AP that: - the STA is alive - the PTK is new - there is no man-in-the-middle Message 4: • This is merely an acknowledgement message, again protected by a MIC. • It has no cryptographic function •

What are the advantages of using message authentication?

- Message authentication protects against active attack (falsification of data and transactions) - Message authentication is a procedure that allows communicating parties to verify that received messages are authentic - The two important aspects are to verify: 1. that the contents of the message have not been altered 2. that the source is authentic

What are the characteristics of symmetric encryption? a. What are the algorithms employed? For each algorithm, also consider the key sizes and block sizes. b. What are the advantages and disadvantages using each of these algorithms?

- use the same single key to encrypt and decrypt a document. - the key be kept private (confidential), because if an attacker obtained the key she could read all the encrypted documents. 1. Plain-text (P): The original message or data which is to be encrypted. The plaintext is an input to the encryption algorithm. 2. Encryption Algorithm (E): This algorithm performs various substitutions and transpositions on the plaintext and produces the ciphertext. 3. Ciphertext (C): This is the output produced by the encryption algorithm. The ciphertext is a scrambled message and it appears as a random stream of data. 4. Encryption Key (K): Encryption key or secret key is a value that's independent of the plaintext. The encryption key is an input to the encryption algorithm. The encryption algorithm will produce a different output with different keys. 5. Decryption Algorithm (D): This algorithm is a reverse of the encryption algorithm. It takes ciphertext and the encryption key as input and produces the plaintext as output. How Symmetric Encryption Works: Alice wants to send an encrypted message to Bob and both have the secret key, which is generated by the encryption algorithm or by a third-party software. This process will work as follows: 1. Encryption algorithm E (on Alice's computer) takes the plaintext P and the secret key K. It generates a ciphertext C. C = E(P,K) 2. The ciphertext C will be transferred via the internet from Alice to Bob. 3. Decryption algorithm D (on Bob's computer) takes the ciphertext C and the secret key K (the same key) and regenerates the original plaintext P again. P = D(C,K) a. What are the algorithms employed? For each algorithm, also consider the key sizes and block sizes. • Data Encryption Standard (DES): - It divides plaintext into 64-bit blocks - 56-bit key length - Then executes the algorithm 16 times. • Triple Data Encryption Standard (3DES): - 3DES is designed to replace DES. - It uses three rounds of encryption instead of just one. - It divides plaintext into 64-bit blocks - The ciphertext of one round becomes the entire input for the second iteration. - 3DES employs a total of 48 iterations in its encryption (3 iterations times 16 rounds). - Three different keys (56-bit in length) are used for each round. - Key length is 3 x 56-bit = 168 bits. • Advanced Encryption Standard (AES)5: - AES uses a block length of 128 bits. - The key length can be 128,192, or 256 bits. - A key length of 128 bits is generally the one most commonly used - AES implements the Rijndael cipher as its algorithm. - Then executes the algorithm 10 times. b. What are the advantages and disadvantages using each of these algorithms? - DES: • The DES algorithm itself, has not been broken. • However, the 56-bit key length is no longer considered secure and has been broken several times - 3DES: • Uses the same algorithm as DES • With a Key length of 168 bits, brute-force attacks are effectively impossible • Although 3DES addresses several of the key weaknesses of DES, it is no longer considered the most secure symmetric cryptographic algorithm. Also, 3DES is three times slower than DES. - 3DES: • To date, no attacks have been successful against AES. • Hardware efficiency because encryption/decryption is carried out in parallel on multiple blocks of plaintext or ciphertext • High confidence level amongst business users as it is widely used. • Preprocessing results in significantly increased throughput.

What does the security of symmetric encryption depend on?

1. A strong encryption algorithm. 2. Copies of the secret key must be sent to sender and receiver in a secure fashion, and the key must be stored securely.

What is network security?

1. Any activity designed to protect the usability and integrity of your network and data. 2. It includes both hardware and software technologies. 3. Effective network security manages access to the network. 4. It targets a variety of threats and stops them from entering or spreading on your network.

Apart from the CIA Triad, what are the other essential network and computer security requirements?

1. Authenticity: - This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source. 2. Accountability: - The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. - This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. - Traceability of users and their actions

What are the fundamental security design principles? Explain each principle.

1. Economy of mechanism: The design of security measures embodied in both hardware and software should be as simple and small as possible. The more complex the mechanism, the more likely it is to possess exploitable flaws. Simple mechanisms tend to have fewer exploitable flaws and require less maintenance. 2. Fail-safe defaults: Access decisions should be based on permission rather than exclusion — the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. 3. Complete mediation: Every access must be checked against the access control mechanism, every time a user accesses a network resource. Systems should not rely on access decisions retrieved from a cache. 4. Open design: The design of a security mechanism should be open rather than secret. For example, although encryption keys must be secret, encryption algorithms should be open to public scrutiny. The algorithms can then be reviewed by many experts, and users can therefore have high confidence in them. 5. Separation of privilege: A practice in which multiple privilege attributes are required to achieve access to a restricted resource 6. Least privilege: Least privilege means that every process and every user of the system should operate using the least set of privileges necessary to perform the task. Unless a permission is granted explicitly, the user or process should not be able to access the protected resource. 7. Least common mechanism: Least common mechanism means that the design should minimize the functions shared by different users, providing mutual security. 8. Psychological acceptability: Psychological acceptability implies that the security mechanisms should not interfere unduly with the work of users, while at the same time meeting the needs of those who authorise access. 9. Isolation: A principle that applies in three contexts: a) public access systems should be isolated from critical resources to prevent disclosure to tampering; b) the processes and files of individual users should be isolated from one another except where it is explicitly desired; c) security mechanisms should be isolated in the sense of preventing access to those mechanisms 10. Encapsulation: Encapsulation can be viewed as a specific form of isolation based on object-oriented functionality. Protection is provided by encapsulating a collection of procedures and data objects in a domain of its own so that the internal structure of a data object is accessible only to the procedures of the protected subsystem, and the procedures may be called only at designated domain entry points. 11. Modularity: Refers both to the development of security functions as separate, protected modules and to the use of a modular architecture for mechanism design and implementation 12. Layering: Refers to the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems. 13. Least astonishment: A program or user interface should always respond in the way that is least likely to astonish the user.

What are the three applications of public-key cryptosystems? Explain each application.

1. Encryption/decryption: - The sender encrypts a message with the recipient's public key 2. Digital signature: - The sender "signs" a message with its private key 3. Key exchange: - Two sides cooperate to exchange a session key

What are the four general means of authenticating a user's identify? Explain.

1. Something the individual knows • Examples include a password, a personal identification number (PIN), or answers to a prearranged set of questions 2. Something the individual possesses • Examples include cryptographic keys, electronic key cards, smart cards, and physical keys • This type of authenticator is referred to as a token 3. Something the individual is (static biometrics) • Examples include recognition by fingerprint, retina, and face 4. Something the individual does (dynamic biometrics) • Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm

What are the criteria used to validate the randomness of a sequence of numbers?

1. Uniform distribution: The distribution of bits in the sequence should be uniform; that is, the frequency of occurrence of ones and zeros should be approximately the same. 2. Independence: No one subsequence in the sequence can be inferred from the others

What are broadcast storms, and how are they prevented?

A broadcast storm occurs when a network system is overwhelmed by continuous multicast or broadcast traffic. A switching loop causes a broadcast storm as the frames are broadcast, received, and rebroadcast by each switch. Broadcast storms can cripple a network in a matter of seconds to the point that no legitimate traffic can occur. Because the headers that a Layer 2 switch examines do not have a time-to-live (TTL) value, a packet could loop through the network indefinitely. Broadcast storms can be prevented with loop protection, which uses the IEEE 802.1d standard spanning-tree algorithm (STA). STA can determine that a switch has multiple ways to communicate with a host and then determine the best path while blocking out other paths.

What are the advantages of using package filtering firewalls? What kind of attacks can be done against them?

A packet filtering firewall applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet (Figure 11.1b). The firewall is typically configured to filter packets going in both directions (from and to the internal network). Advantages: - simplicity - packet filters typically are transparent to users - very fast. Attacks: - IP address spoofing: The intruder transmits packets from the outside with a source IP address field containing an address of an internal host. The attacker hopes that the use of a spoofed address will allow penetration of systems that employ simple source address security, in which packets from specific trusted internal hosts are accepted. The countermeasure is to discard packets with an inside source address if the packet arrives on an external interface. In fact, this countermeasure is often implemented at the router external to the firewall. - Source routing attacks: The source station specifies the route that a packet should take as it crosses the Internet, in the hopes that this will bypass security measures that do not analyse the source routing information. The countermeasure is to discard all packets that use this option. - Tiny fragment attacks: The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate packet fragment. This attack is designed to circumvent filtering rules that depend on TCP header information. Typically, a packet filter will make a filtering decision on the first fragment of a packet. All subsequent fragments of that packet are filtered out solely on the basis that they are part of the packet whose first fragment was rejected.The attacker hopes that the filtering firewall examines only the first fragment and that the remaining fragments are passed through. A tiny fragment attack can be defeated by enforcing a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header. If the first fragment is rejected, the filter can remember the packet and discard all subsequent fragments.

What is the difference between reversible and irreversible encipherment? Give some examples of applications of each type of encipherment.

A reversible encipherment mechanism is simply an encryption algorithm that allows data to be encrypted and subsequently decrypted. - Authentication - Used for bulk encryption/decryption of data - Digital Signatures - Key Exchange Irreversible encipherment mechanisms are one way; the corresponding decipherment process cannot feasibly be performed. - include hash algorithms and message authentication codes, which are used in digital signature and message authentication applications.

What is a Virtual Private Network? Does it provide security? How?

A virtual private network (VPN) uses an unsecured public network, such as the Internet, as if it were a secure private network. - encrypts all data that is transmitted between the remote device and the network and not just specific documents or files. -This ensures that any transmissions that are intercepted will be indecipherable. Security: VPN uses encryption to provide data confidentiality. VPN can also provide a data integrity check. This is typically performed using a message digest to ensure that the data has not been tampered with during transmission.

For Network Access Control (NAC), list the requirements that need to be assessed prior to the requesters receiving permission to access the network.

Access requester (AR) Network Access Server (NAS) a) The first step is generally to authenticate the AR. b) the policy server determines what access privileges, if any, the AR may have. c) the policy server or a supporting server will perform checks on the AR to determine if it should be permitted interactive remote access connectivity. d) These checks—sometimes called health, suitability, screening, or assessment checks—require software on the user's system to verify compliance with certain requirements from the organisation's secure configuration baseline. e) Based on the results of these checks, the organisation can determine whether the remote computer should be permitted to use interactive remote access. f) If the user has acceptable authorization credentials but the remote computer does not pass the health check, the user and remote computer should be denied network access or have limited access to a quarantine network so that authorised personnel can fix the security deficiencies. g) Once an AR has been authenticated and cleared for a certain level of access to the enterprise network, the NAS can enable the AR to interact with resources in the enterprise network. The NAS may mediate every exchange to enforce a security policy for this AR, or may use other methods to limit the privileges of the AR.

What is an attack tree and what is it used for?

An attack tree is a branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities. The motivation for the use of attack trees is to effectively exploit the information available on attack patterns. Security analysts can use the attack tree to document security attacks in a structured form that reveals key vulnerabilities. The attack tree can guide both the design of systems and applications, and the choice and strength of countermeasures.

What is the difference between a block and a stream cipher?

An important distinction in symmetric cryptographic algorithms is the amount of data that is processed at a time. Block ciphers: - most commonly used symmetric encryption algorithms are block ciphers - process the plaintext input in fixed-sized blocks, and outputs a block of ciphertext of the same size for each plaintext block - Advantages: • High diffusion: information from one plaintext symbol is diffused into several c ciphertext symbols. • Immunity to tampering: difficult to insert symbols without detection. Disadvantages: • Slowness of encryption: an entire block must be accumulated before encryption / decryption can begin. • Error propagation: An error in one symbol may corrupt the entire block. Stream cipher: - A stream cipher takes one character and replaces it with one character Advantages: • Speed of transformation: algorithms are linear in time and constant in space. • Low error propagation: an error in encrypting one symbol likely will not affect subsequent symbols. Disadvantages: • Low diffusion: all information of a plaintext symbol is contained in a single ciphertext symbol. • Susceptibility to insertions/ modifications: an active interceptor who breaks the algorithm might insert spurious text that looks authentic.

What is the relationship between attack surface and layering? a. What are the 3 categories of attack surface? Explain.

Attack surface: The AS is the aggregate of all vulnerabilities and controls across all systems and networks. It is the collection of targets exposed to an attacker. Layering: Refers to the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems. The use of layering, or defense in depth, and attack surface reduction complement each other in mitigating security risk. Example: If attack surface is large and layering is shallow --> high security risk Conversely, if attack surface is small and layering is deep --> low security risk 1. Network attack surface: This category refers to vulnerabilities over an enterprise network, wide-area network, or the Internet. Included in this category are network protocol vulnerabilities, such as those used for a denial-of-service attack, disruption of communications links, and various forms of intruder attacks. 2. Software attack surface: This refers to vulnerabilities in application, utility, or operating system code. A particular focus in this category is Web server software. 3. Human attack surface: This category refers to vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders.

Explain privileges escalation.

Exploiting software vulnerability to gain access to restricted data. Two (2) types of privilege escalation exist: 1. Vertical privilege escalation - User with lower privilege uses privilege escalation to grant self access functions reserved for higher-privilege users 2. Horizontal privilege escalation - User with restricted privileges accesses the different restricted functions of a similar user

What is the importance of IEEE 802.1x?

IEEE 802.1x standard: - Port-based network access control - provides the highest degree of port security by implementing port-based authentication. - This protocol authenticates users on a per-switch port basis by permitting access to valid users but effectively disabling the port if authentication fails. - This prevents an unauthenticated device from receiving any network traffic until its identity can be verified. - It also strictly limits access to the device that provides the authentication to prevent attackers from reaching it.

Explain the following terminology a. True positive b. False positive c. True negative d. False negative

In terms of the accuracy of an Intrusion Detection System, there are four possible states for each activity observed: a. True positive: A true positive is a successful identification of an attack. b. False positive: A false positive state is when the IDS identifies an activity as an attack but the activity is acceptable behaviour. A false positive is a false alarm. c. True negative: The IDS identifies an activity as acceptable behaviour and the activity is actually acceptable. A true negative is successfully ignoring acceptable behaviour. d. False negative: This is when the IDS identifies an activity as acceptable when the activity is actually an attack. That is, a false negative is when the IDS fails to catch an attack. A false negative state is the most serious and dangerous state since the security professional has no idea that an attack took place.

What is IP security (IPsec)? And what are the benefits of IPsec? What are the IPsec services?

Internet Protocol Security (IPSec) is a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks, through the use of cryptographic security services. ◆ IPsec provides the capability to secure communications across a LAN, private and public WANs, and the Internet ◆ Principal feature of IPsec is that it can encrypt and/or authenticate all traffic at the IP level ◆ Thus all distributed applications (remote logon, client/server, e-mail, file transfer, Web access) can be secured ◆ IP security (IPsec) is a capability that can be added to either current version of the Internet Protocol (IPv4 or IPv6) by means of additional headers. ◆ Authentication makes use of the HMAC message authentication code. Authentication can be applied to the entire original IP packet (tunnel mode) or to all of the packet except for the IP header (transport mode). ◆ Confidentiality is provided by an encryption format known as encapsulating security payload (ESP). ◆ ESP is used to encrypt the Payload Data, Padding, Pad Length, and Next Header fields Both tunnel and transport modes can be accommodated. ◆ Internet Key Exchange (IKE) defines a number of techniques for key management. Benefits of IPsec: • IPsec is below the transport layer (TCP, UDP) and so is transparent to applications. ◆ There is no need to change software on a user or server system when IPsec is implemented in the firewall or router. • When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter ◆ Traffic within a company or work group does not incur the overhead of security- related processing • IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the only means of entrance from the Internet into the organisation • IPsec can be transparent to end users: ◆ There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organisation • IPsec can provide security for individual users if needed ◆ This is useful for offsite workers and for setting up a secure virtual subnetwork within an organisation for sensitive applications • IPsec includes a filtering capability so that only selected traffic need incur the overhead of IPsec processing. RFC 4301 lists the following services: • Access control • Connectionless integrity • Data origin authentication • Rejection of replayed packets (a form of partial sequence integrity) • Confidentiality (encryption) • Limited traffic flow confidentiality

Explain a. Threshold detection b. Profile-based detection c. Rule-based detection d. Statistical anomaly detection

Intrusion detection is based on the assumption that the behaviour of the intruder differs from that of a legitimate user in ways that can be quantified. Statistical anomaly detection: a. Threshold detection: - This approach involves defining thresholds, independent of user, for the frequency of occurrence of various events. b. Profile-based detection: - A profile of the activity of each user is developed and used to detect changes in the behaviour of individual accounts. c. Rule-based detection: - Involves an attempt to define a set of rules that can be used to decide that a given behaviour is that of an intruder. d. Statistical anomaly detection: - Involves the collection of data relating to the behaviour of legitimate users over a period of time. Then statistical tests are applied to observed behaviour to determine with a high level of confidence whether that behaviour is not legitimate user behaviour.

In key distribution, what is the relationship between permanent keys and session keys?

KEY DISTRIBUTION FOR SYMMETRIC KEY CRYPTOGRAPHY If sender and receiver each has an encrypted connection to a third party (Key Distribution Centre), then the third party can deliver a key on the encrypted links to sender and receiver. The KDC determines which systems are allowed to communicate with each other. When permission is granted for two systems to establish a connection, the key distribution centre provides a one-time session key for that connection. Session key: • When two end systems (hosts, terminals, etc.) wish to communicate, they establish a logical connection (e.g., virtual circuit). For the duration of that logical connection, called a session, all user data are encrypted with a one-time session key. • At the conclusion of the session the session key is destroyed. Permanent key: • A permanent key is a key used between entities for the purpose of distributing session keys.

In wireless networking environment, what are the three components that provide a point of attack? Explain.

The three components that provide point of attack: 1. Endpoint (wireless client e.g. mobile phone, Bluetooth, wireless sensor etc.) 2. Wireless medium - RF transmission, radio waves transfer the data 3. Access Point (e.g. Wi-Fi router, mobile hotspot or a wired access point) Wireless networking environment presents a larger attack surface than a wired network; in a wired network, the attack surface is limited by device ports.

Explain a. Wired Equivalent Privacy (WEP) b. Wi-Fi Protected Access (WPA) c. Robust Security Network (RSN)

Most wireless access points come with the ability to enable one of three wireless encryption standards: Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) WPA2 a) Wired Equivalent Privacy (WEP): • the first security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b • designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. • WEP uses the RC4 stream cipher for authentication and encryption • 64- bit or 128-bit keys • Contained major weaknesses: - 24-bit Initialisation Vector (IV) - weak authentication b) Wi-Fi Protected Access (WPA): • An interim standard that eliminates most 802.11 security issues • Based on the current state of the 802.11i standard • Backwards compatible with WEP • Retains RC4 stream cipher, but adds longer IVs and 256-bit keys • Two modes personal and enterprise • The most recent version of WPA, known as WPA2, incorporates all of the features of the IEEE 802.11i WLAN security specification. c) Robust Security Network (RSN): • The final form of the 802.11i standard • The RSN specification is quite complex

What is the relationship between procedure rules and technical rules?

Network security administration follows a rule-based management approach: - Procedural rules may be defined as the authoritative and prescribed direction for conduct. For information security, procedural rules can be external to the organisation (such as the Privacy Law Act) or internal (such as corporate policies and procedures). - The procedural rules in turn, dictate technical rules. Technical rules may involve configuring a firewall or proxy server to conform to the procedural rules.

What does network security mean?

Network security measures are needed to protect data during their transmission over distributed systems and networks.

What is a server-side attack? List server-side attacks and explain.

On the Internet, a web server provides services that are implemented as web applications. That is, the content provided for users who are "surfing the Web" is generated by a software application running on a server. An important characteristic of server-side web applications is that they create dynamic content based on inputs from the user. For example, a web page might ask a user to enter her post code in order to receive the latest weather forecast for that area. Thus the dynamic operations of a web application depend heavily upon inputs provided by users. Many server-side web application attacks target the input that the application accepts from users Common web application attacks: - Cross-site scripting (XSS): Injects scripts into web application server to direct attacks at unsuspecting clients. An XSS attack requires a website that meets two criteria: a) it accepts user input without validating it, and b) it uses that input in a response. Many web applications are designed to customise content for user by taking what user enters and then displaying that input back to user. Cross-site scripting attacks occur when an attacker takes advantage of web applications that accept user input without validation and then present back to user. Some hackers, for example, may maliciously inject code within vulnerable web applications to trick users and redirect them towards phishing sites. This technique is called Cross-Site Scripting and may be used even though the web servers and database engine contain no vulnerability themselves. - SQL injection: Targets SQL servers by introducing malicious commands. Most web pages that require users to log in by entering a user name and password, typically offer a solution for the user who has forgotten their password by providing an online form. - XML injection: Similar to SQL injection attack. Attacker discovers Web site that does not filter user data. Injects XML tags and data into the database. A specific type of XML injection is Xpath injection, which attempts to exploit XML Path Language queries - Command injection/directory traversal: Web server users typically restricted to root directory. Users may be able to access sub-directories but not parallel or higher level directories. Helps to protect sensitive files. Directory traversal - Uses malformed input or takes advantage of a vulnerability to move from root directory to restricted directories. Command injection - Attacker enters commands to execute on server or view confidential files.

What is the difference between proactive and reactive password checkers?

Reactive password checking: - The system periodically runs its own password cracker to find guessable passwords. - The system cancels passwords that are guessed and notifies user. Proactive password checking: - The system checks at the time of selection if the password is allowable. - With guidance from the system, users can select memorable passwords that are difficult to guess.

What is the difference between symmetric and asymmetric encryption in the term of keys used? What are the keys for each encryption type?

Symmetric encryption: - uses a single symmetric key for both encryption and decryption - the secret key needs to be shared among the people who need to receive the message - the key can be a number, a word, or just a string of random letters - 3DES and AES use key lengths varying between 128 and 256 bits Asymmetrical encryption: - use two different but mathematically related keys for encryption and decryption - uses a key pair (public key and a private key) to encrypt and decrypt messages when communicating. - the key pairs involve only Prime numbers and the modulus - RSA uses a key length between 1,024 and 4,096 bits

What are the two types of IPsec key management? Explain.

The IPsec Architecture document mandates support for two types of key management: 1. Manual • A system administrator manually configures each system with its own keys and with the keys of other communicating systems • This is practical for small, relatively static environments 2. Automated • Enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration

What are the authentication methods that can be used with Internet Key Exchange (IKE) key determination?

The key management portion of IPsec involves the determination and distribution of secret keys. Authentication methods used with IKE: • Digital Signatures • Public Key Encryption • Pre-Shared Key

What is a client-side attack? List client-side attacks and explain.

Web application attacks are server-side attacks. However, client-side attacks target vulnerabilities in client applications: - Interacting with a compromised server - Client initiates connection with server, which could result in an attack Client-side attacks are not limited to the Web; they can occur on any client/server pair: → email → File Transfer Protocol (FTP) → instant messaging (IM) → multimedia streaming. Serious threat is the Drive-by download: → Client computer compromised simply by viewing a Web page → Attackers inject content into vulnerable web server to gain access to server's operating system → Attackers craft a zero-pixel IFrame (inline frame) to avoid visual detection → Embed an HTML document inside main document → Client's browser downloads malicious script (Java script) → Instructs computer to download malware Common client-side attacks include: - Header manipulation →Attack modifies HTTP headers →HTTP header manipulation is not an actual attack but rather the vehicle through which other attacks like (XSS) can be launched →HTTP header manipulation allows an attacker to pass malicious instructions from own malicious website or through an infected site to the web browser via HTTP headers Examples of HTTP header attacks: Referrer - Can bypass security by modifying referrer field to hide fact came from another site Accept-Language - Because some web applications pass contents of field directly to database, attacker can inject SQL command by modifying header Response splitting - Inserting a CRLF in an HTTP header can give attackers control of the remaining HTTP headers and body of the response - Cookies: → Cookies have security and privacy risks → First-party cookies can be stolen and used to impersonate the user → Third-party cookies can be used to track the browsing or buying habits of a user → When multiple websites are serviced by a single marketing organisation, cookies can be used to track browsing habits on all client's site - Attachments: → Malicious attachments commonly used to spread viruses, Trojans, and other malware when opened → Many users routinely open any email attachment received even if from an unknown sender → Attackers often include information in the subject line that entices even reluctant users to open the attachment, such as a current event - Session hijacking: → Attacker attempts to impersonate the user by using their session token → Attacker can attempt to obtain session token: Use XSS or other attacks to steal the session token cookie from the victim's computer Eavesdropping on the transmission Guessing the session token (successful if generation of session tokens not truly random) - Malicious add-ons: → Attackers can create malicious add-ons to launch attacks against a user's computer (e.g. using Microsoft's ActiveX)

Explain: a. Non-traditional networks b. Ad hoc networks c. Accidental association d. Malicious association

a) Non-traditional networks: • Personal network Bluetooth devices, barcode readers, and handheld PDAs pose a security risk in terms of both eavesdropping and spoofing b) Ad hoc networks: • These are peer-to-peer networks between wireless computers with no access point between them • Such networks can pose a security threat due to a lack of a central point of control c) Accidental association: • Company wireless LANs in close proximity may create overlapping transmission ranges (finance dept overlaps with sales dept. within a company) • A user intending to connect to one LAN may unintentionally lock on to a wireless access point from a neighbouring network d) Malicious association: • In this situation, a wireless device is configured to appear to be a legitimate access point, enabling the operator to steal passwords from legitimate users and then penetrate a wired network through a legitimate wireless access point

Network Attacks against Availability

◆ DoS (Denial of Service attacks) ◆ DDoS (Distributed Denial of Service attacks ◆ SYN flood attacks and ICMP flood attacks ◆ Electrical power attacks ◆ Server Room Environment attacks

Explain the role of the following: a. Cloud broker b. Cloud carrier c. Cloud auditor d. Cloud consumer

a. Cloud broker: • Useful when cloud services are too complex for a cloud consumer to easily manage. • Three areas of support can be offered by a cloud broker: • Service intermediation • Value-added services such as identity management, performance reporting, and enhanced security • Service aggregation The broker combines multiple cloud services to meet consumer needs not specifically addressed by a single CP, or to optimize performance or minimize cost • Service arbitrage A broker has the flexibility to choose services from multiple agencies b. Cloud carrier: • A networking facility that provides connectivity and transport of cloud services between cloud consumers and CPs c. Cloud auditor: • An independent entity that can assure that the CP conforms to a set of standards d. Cloud consumer: • A cloud consumer is an organisation (or an individual) that has a formal contract or arrangement with a CP to use IT resources made available by the CP.

Explain the following terms and what kind of attacks each of them involve: a. Data Confidentiality b. Data Integrity c. Non-repudiation

a. Data Confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorised individuals. - Packet Capturing (Packet Sniffing): Packet Capturing (Packet Sniffing) is a type of network attack where the attacker capture the data packets (typically Ethernet frames) in travel. Once the data is captured, the attacker can read the sensitive data like passwords or card numbers, if the network traffic is not encrypted. - Phishing: Phishing is an attempt to hack sensitive information (usually financial information like bank userid/password credit card details etc), by sending unsolicited emails with fake URLs. - Pharming: Pharming is another network attack aimed at redirecting the traffic of one website to another website. - Social Engineering: Social Engineering is type of attack in which someone with very good interactive skills manipulates others into revealing information about network that can be used to steal data. - Password Attacks: Password based attacks are used to hack the passwords of users of a target computer to gain access. Two types of password attacks are dictionary based attack (where an attacker tries each of the words in a dictionary or commonly used passwords to hack the user password) and brute force attack (where an attacker tries every single possible password combinations using Brute Force hacking tools to hack the user password). b. Data Integrity: Integrity assures that information is correct and has not been modified or destroyed by unauthorised players or by malware (malicious software). - Man-in-the-middle attacks: A man-in-the-middle attack is a type of network attack where the attacker sits between two devices that are communicating to manipulate the data as it moves between them. - Session hijacking attacks: Session hijacking is another type of network attack where the attacker hacks a computer session to gain unauthorized access to information or services in a computer system c. Non-repudiation: Non-repudiation is the process of proving that a user performed an action, such as sending an email message. Non-repudiation prevents an individual from fraudulently "reneging" on an action. - Phishing or man-in-the-middle (MITM) attacks

Explain the following protocols: a. Handshake protocol b. Change Cipher Spec protocol c. Alert protocol d. Heartbeat protocol

a. Handshake protocol: - Phase 1. ESTABLISH SECURITY CAPABILITIES: Establish security capabilities, including protocol version, session ID, cipher suite, compression method, and initial random numbers. client_hello ----> The browser, representing the client computer, sends a client_hello message to the Web server, containing information about: • what level of security the browser is capable of accepting • what type of encryption the browser can decipher • it establishes a randomly generated number that uniquely identifies the client • and another number that identifies the TLS session <---- server_hello The server responds with a server_hello message that confirms the information received from the browser and agrees to encryption based on options supplied by the browser. - Phase 2 SERVER AUTHENTICATION AND KEY EXCHANGE: Server may send certificate, key exchange, and request certificate (optional). Server signals end of hello message phase. <---- certificate <---- server_key_exchange <---- certificate_request <---- server_hello_done - Phase 3 CLIENT AUTHENTICATION AND KEY EXCHANGE: Client sends certificate if requested. Client sends key exchange. Client may send certificate verification. certificate ----> client_key_exchange ----> certificate_verify ----> - Phase 4 FINISH: This phase completes the setting up of a secure connection Change cipher suite and finish handshake protocol. change_cipher_spec ----> finished ----> <---- change_cipher_spec <---- finished b. Change Cipher Spec protocol: • one of the three SSL-specific protocols that use the SSL Record Protocol • it is the simplest. • This protocol consists of a single message which consists of a single byte with the value 1. • The sole purpose of this message is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection. c. Alert protocol: • The Alert Protocol is used to convey SSL- related alerts to the peer entity. • As with other applications that use SSL, alert messages are compressed and encrypted, as specified by the current state. • Each message in this protocol consists of two bytes: • The first byte takes the value warning (1) or fatal (2) to convey the severity of the message. If the level is fatal, SSL immediately terminates the connection. • The second byte contains a code that indicates the specific alert. d. Heartbeat protocol: • In the context of computer networks, a heartbeat is a periodic signal generated by hardware or software to indicate normal operation or to synchronize other parts of a system. • A heartbeat protocol is typically used to monitor the availability of a protocol entity. • Both peers must agree on the protocol • The heartbeat protocol runs on top of the TLS Record Protocol Consists of two message types: - heartbeat_request - heartbeat_response The heartbeat serves two purposes: • It assures the sender that the recipient is still alive, even though there may not have been any activity over the underlying TCP connection • It generates activity across the connection during idle periods, which avoids closure by a firewall that does not tolerate idle connections

Explain the roles of the following devices (what are the advantages of using them): a. Load balancer b. Proxy server c. Distribution firewall

a. Load balancer: - Load balancing is a technology that can help to evenly distribute work across a network. - Requests that are received can be allocated across multiple devices such as servers. - To the user, this distribution is transparent and appears as if a single server is providing the resources. - Load balancing can be performed either through software running on a computer or as a dedicated hardware device known as a load balancer. - Load-balancing technology provides these advantages: 1. The probability of overloading a single server is reduced. 2. Each networked computer can benefit from having optimized bandwidth. 3. Network downtime can be reduced. b. Proxy server: - A proxy server is a computer or an application program that intercepts user requests from the internal secure network and then processes that request on behalf of the user. Advantages: 1. Increased speed. Because proxy servers can cache material, a request can be served from the cache instead of retrieving the web page through the Internet. 2. Reduced costs. A proxy server can reduce the amount of bandwidth usage because of the cache. 3. Improved management - technical rules. A proxy server can block specific webpages and/or entire websites. Some proxy servers can block entire categories of websites such as entertainment, pornography, or gaming sites. c. Distribution firewall: - A distributed firewall configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control. - A multitude of host-resident firewalls when centrally configured and managed makes up a distributed firewall - Act like personal firewalls except they offer several important advantages like central management, logging, and in some cases, access-control granularity. - These features are necessary to implement corporate security policies in larger enterprises. Policies can be defined and pushed out on an enterprise-wide basis. Advantages: - host-resident firewalls filter traffic from both the Internet and the internal network. - prevents hacking attacks that originate from both the Internet and the internal network. - important because the most costly and destructive attacks still originate from within the organisation. - centralised management of security monitoring

Explain the Counter Mode (CTR) of the block cipher operation.

• A counter equal to the plaintext block size is used. • The counter is a random value that acts like a salt • In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" data, a password or pass-phrase. • Salts are closely related to the concept of nonce. • The counter value must be different for each plaintext block that is encrypted. • Typically, the counter is initialized to some value and then incremented by 1 for each subsequent block (modulo 2^b, where b is the block size). • For encryption, the counter is encrypted and then XORed with the plaintext block to produce the ciphertext block; there is no chaining. • For decryption, the same sequence of counter values is used, with each encrypted counter XORed with a ciphertext block to recover the corresponding plaintext block. • Processing is done in parallel and is therefore very fast.

What is the relationship between Transport Layer Security (TLS) and Transmission Control Protocol (TCP)?

• A relatively general-purpose solution to provide Web security is to implement security just above TCP in the TCP/IP Protocol Stack • TLS is an Internet standard that evolved from a commercial protocol known as Secure Sockets Layer (SSL) • TLS is a general purpose service implemented as a set of protocols that rely on TCP • Transport Layer Security (TLS) is a cryptographic transport algorithm used to encrypt TCP/IP transmissions (web pages and data entered into web forms) en route between the client and server using public key encryption.

With Kerberos Version 5, explain how replay attacks are discouraged (i.e. by using ......, explain).

• A replay attack occurs when an intruder steals a packet from the network and forwards that packet to a service or application as if the intruder was the user who originally sent the packet. • When the packet is an authentication packet, the intruder can use the replay attack to authenticate on another person's behalf and consequently access that person's resources or data. In cryptography, a nonce is an arbitrary number that can be used just once • by using a Nonce: A random value to be repeated in message (2) to assure that the response is fresh and has not been replayed by an opponent. • includes the use of a scheme involving time stamps to severely limit the effectiveness of replay attacks. • Messages which are past the "time to live (TTL)" are considered old and are discarded.

Explain how public and private keys of Certificate Authority's (CA) are used with public key certificate.

• A subscriber requesting a digital certificate first generates the public and private keys. • Next she generates a Certificate Signing Request (CSR), which is a specially formatted encrypted message that validates the information the CA requires to issue a digital certificate. • Once the CA receives and verifies the CSR, it inserts the public key into the certificate. • Finally, these certificates are digitally signed with the private key of the issuing CA.

What is Network Access Control (NAC)? And what are its tasks?

• An umbrella term for managing access to a network: •Two elements: 1. Authenticates users logging into the network 2. determines what data they can access a and actions they can perform • Also examines the health of the user's computer or mobile device •Access control can be a policy, a software, or a hardware device which is used to allow or deny access to a resource. • Access control can be by using devices like biometric device, switches, routers, Remote Access Service (RAS), virtual private networks (VPNs), etc.

What is the Extensible Authentication Protocol (EAP)? What does it mean by "extensible"?

• EAP is a protocol that provides a generic transport service for the exchange of authentication information between a client system and an authentication server • The basic EAP transport service is extended by using a specific authentication protocol that is installed in both the EAP client and the authentication server Commonly supported EAP methods: • EAP Transport Layer Security (uses handshake protocol & digital certificate) • EAP Tunneled TLS • EAP Generalized Pre-Shared Key • EAP-IKEv2 (Internet Key Exchange v. 2)

What are the threats to a DHCP server?

• If an attacker breaches network security and gains control of your DHCP servers, then the attacker might proceed to modify the DHCP server to assign clients an incorrect subnet setting --> DoS attack • Or they might modify the server to assign clients incorrect DNS settings and redirect clients to rogue or hijacked DNS servers, which could then redirect clients to hostile websites where they unknowingly download a trojan --> . • Or they could modify the server to assign the address of the attacker's own machine as default gateway, which results in outbound client traffic being redirected to the attacker's machine which captures and reads the traffic and forwards it to the real default gateway. The result is exposure of sensitive business information without users even being aware of what's happening.

Explain Secure Hash Function (SHA).

• Secure Hash Algorithms are a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST). • This standard specifies hash algorithms that can be used to generate digests of messages. • The digests are used to detect whether messages have been changed since the digests were generated. • Based on the hash function MD4 and its design closely models MD4 • Produces 160-bit hash values • In 2005 NIST announced the intention to phase out approval of SHA-1 and move to a reliance on SHA-2 by 2010 • SHA-512 is very secure • The algorithm takes as input a message with a maximum length of less than 2^128 bits and produces as output a 512-bit message digest. The input is processed in 1024-bit blocks.

What are the basic cloud service models? Explain.

• Software as a Service (SaaS): - In this model the cloud provider (CP) provides access to the vendor's software applications running on a cloud infrastructure. - These applications, which can be accessed through a web browser, do not require any installation, configuration, upgrading, or management from the user. • Platform as a Service (PaaS): - Unlike SaaS in which the application software belonging to the CP is used, in PaaS consumers can install and run their own specialised applications on the cloud computing network. - Although customers have control over the deployed applications, they do not manage or configure any of the underlying cloud infrastructure (network, servers, operating systems, storage, etc.). • Infrastructure as a Service (IaaS): - In this model, the customer has the highest level of control. The CP allows customers to deploy and run their own software, including operating systems and applications. - Consumers have some control over the operating systems, storage, and their installed applications, but do not manage or control the underlying cloud infrastructure. - the CP acquires the physical computing resources underlying the service, including the servers, networks, storage, and hosting infrastructure. - The IaaS cloud consumer in turn uses these computing resources, such as a virtual computer, for their fundamental computing needs. • For each of the three service models (SaaS, PaaS, IaaS), the CP provides the storage and processing facilities needed to support that service model, together with a cloud interface for cloud service consumers.

What is a public key certificate? And how is it created?

• a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. • a public key certificate consists of a public key plus a user ID of the key owner, with the whole block signed by a trusted third party. • Certificate Authority (CA) serves as the trusted third-party agency that is responsible for issuing the digital certificates.

Explain a. DES b. 3DES c. AES

◆ An important distinction in symmetric cryptographic algorithms is the amount of data that is processed at a time. ◆ Block ciphers process an entire block of plaintext at one time. ◆ Three of the common block ciphers used for symmetric encryption are: ◆ Data Encryption Standard: • It divides plaintext into 64-bit blocks • Then executes the algorithm 16 times. • The structure of the algorithm is a minor variation of the Feistel cipher. • 56-bit key length is no longer considered secure and has been broken several times. • It is not recommended for use, except for legacy systems. ◆ Triple Data Encryption Standard (3DES): • 3DES is designed to replace DES. • It uses three rounds of encryption instead of just one. • The ciphertext of one round becomes the entire input for the second iteration. • 3DES employs a total of 48 iterations in its encryption (3 iterations times 16 rounds). • Three different keys (56-bit in length) are used for each round. • Key length is 3 x 56-bit = 168 bits. • Although 3DES addresses several of the key weaknesses of DES, it is no longer considered the most secure symmetric cryptographic algorithm. • Also, 3DES is three times slower than DES. ◆ Advanced Encryption Standard (AES)5: • AES uses a block length of 128 bits. • The key length can be 128,192, or 256 bits. • A key length of 128 bits is generally the one most commonly used. • AES implements the Rijndael cipher as its algorithm. • Then executes the algorithm 10 times.

Explain Session Hijacking.

◆ Client-Side Application Attack ◆ Attacker attempts to impersonate the user by using their session token ◆ Attacker can attempt to obtain session token: • Use XSS or other attacks to steal the session token cookie from the victim's computer • Eavesdropping on the transmission • Guessing the session token (successful if generation of session tokens not truly random)

How does the IPsec deal with replay attack prevention?

◆ IPSec provides anti-replay protection against an attacker who duplicates encrypted packets with the assignment of a monotonically increasing sequence number to each encrypted packet. ◆ The receiving IPSec endpoint keeps track of which packets it has already processed on the basis of these numbers with the use of a fixed size sliding window of all acceptable sequence numbers. ◆ The default window size is 64 packets. ◆ Here are the steps to process incoming IPSec traffic on the receiving tunnel endpoint with anti-replay enabled: • When a packet is received, if the sequence number falls within the window and was not previously received, the packet is accepted, and marked as received before it is sent to integrity verification. • If the sequence number falls within the window and was previously received, the packet is dropped, and the replay counter is incremented. • If the sequence number is greater than the highest sequence number in the window, the packet is accepted, and marked as received. The sliding window is then moved to the right. • If the sequence number is less than the lowest sequence in the window, the packet is dropped, and the replay counter is incremented.

What are the three functional areas of IP-level security?

◆ IPsec encompasses three functional areas: • authentication • confidentiality • key management

Cryptographic Transport Protocols

◆ In addition to protecting data in-use and data at-rest, cryptography is most often used to protect data in-transit across a network. ◆ The most common cryptographic transport protocols include: • Secure Sockets Layer (SSL) is a computer networking protocol for securing connections between network application clients and servers over an insecure network, such as the internet. • Due to numerous protocol and implementation flaws and vulnerabilities, SSL was deprecated for use on the internet by the Internet Engineering Task Force (IETF) in 2015 and has been replaced by the Transport Layer Security (TLS) protocol. • While TLS and SSL are not interoperable, TLS is backwards-compatible with SSL 3.0. • Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications. • It's the most widely deployed security protocol used today, and is used for Web browsers and other applications that require data to be securely exchanged over a network, such as file transfers, VPN connections, instant messaging and voice over IP. • Secure Shell (SSH), also known as Secure Socket Shell, is a network protocol that provides administrators with a secure way to access a remote computer. • Hypertext Transport Protocol Secure (HTTPS) (HTTP over SSL or HTTP Secure) is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. • HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server. • The use of HTTPS protects against eavesdropping and man-in-the-middle attacks. HTTPS was developed by Netscape. • IP security (IPsec) defines the architecture for security services for IP network traffic. • IPsec describes the framework for providing security at the IP layer, as well as the suite of protocols designed to provide that security, through authentication and encryption of IP network packets. • Also included in IPsec are protocols that define the cryptographic algorithms used to encrypt, decrypt and authenticate packets, as well as the protocols needed for secure key exchange and key management.

Explain Demilitarised Zone (DMZ).

◆ In computer networks, a DMZ (demilitarized zone) is a physical or logical sub-network that separates an internal local area network (LAN) from other untrusted networks, usually the Internet. ◆ The DMZ functions as a separate network that rests outside the secure network perimeter: untrusted outside users can access the DMZ but cannot enter the secure network. ◆ External-facing servers, resources and services are located in the DMZ so they are accessible from the Internet but the rest of the internal LAN remains unreachable. ◆ This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the Internet. ◆ Any service that is being provided to users on the Internet should be placed in the DMZ. ◆ The most common of these services are: Web, Mail, DNS, FTP, and VoIP. ◆ The most secure approach is to use two firewalls to create a DMZ. ◆ The first firewall also called the perimeter firewall is configured to allow traffic destined to the DMZ only. ◆ The second or internal firewall only allows traffic from the DMZ to the internal network. ◆ This is considered more secure since two devices would need to be compromised before an attacker could access the internal LAN. ◆ As a DMZ segments a network, security controls can be tuned specifically for each segment. ◆ For example a network intrusion detection and prevention system located in a DMZ that only contains as Web server can block all traffic except HTTP and HTTPS requests on ports 80 and 443.

Network Attacks against Confidentiality

◆ Packet Capturing (Packet Sniffing) ◆ Password Attacks ◆ Port Scanning and Ping Sweeps ◆ Dumpster Diving ◆ Wiretapping ◆ Keylogger ◆ Phishing and Pharming ◆ Social Engineering

What is the Secure Shell (SSH)? Explain SSH user Authentication Protocol, SSH Connection Protocol, and SSH Transport Layer Protocol.

◆ SSH, also known as Secure Socket Shell, is a network protocol that provides administrators with a secure way to access a remote computer. ◆ Secure Shell (SSH) provides secure remote logon and other secure client/server facilities. ◆ SSH also provides a more general client/server capability and can be used for such network functions as file transfer and e-mail ◆ SSH also refers to the suite of utilities that implement the protocol. ◆ Secure Shell provides strong authentication and secure encrypted data communications between two computers connecting over an insecure network such as the Internet. ◆ SSH is widely used by network administrators for managing systems and applications remotely, allowing them to log in to another computer over a network, execute commands and move files from one computer to another. ◆ Secure Shell (SSH) provides secure remote logon and other secure client/server facilities. ◆

Network Attacks against Integrity

◆ Salami attacks ◆ Data diddling attacks ◆ Trust relationship attacks ◆ Man-in-the-middle attacks ◆ Session hijacking attacks