Networking - Chapter 3

facial recognition

A biometric technology that looks for unique measurements in an individual's face.

access control list (ACL)

A clearly defined list of permissions attached to an object that specifies what actions an authenticated user may perform on a shared resource.

identity theft

A crime that involves thieves collecting enough data about a victim to pretend to be another person in order to steal money or obtain benefits

fingerprint recognition

A technique for authenticating computer users by scanning their fingerprints. Inexpensive but poor precision, deceivable. Sufficient only for low-risk issues.

Distributed Denial of Service (DDoS)

An attack that uses multiple zombie computers - bots - (even hundreds or thousands) in a botnet to flood a device with requests.

zero day attack

Attack between the time a software vulnerability is discovered and a patch to fix the problem is released.

Threat Environment

Attacks and attackers that companies face

digital certificate authentication

Authentication in which each party has a secret private key and a public key. the Sender encrypts the message using the Private key, the Receiver decrypts using Public key

List the criminal groups beside the attackers that were involved in the overall process

Crimeware shops, online card shops, counterfeiters

How do viruses and worms differ?

Viruses attach themselves to programs on your computer, whereas worms are their own program and they spread by themselves through vulnerabilities in other computers.

Antivirus programs check for:

Viruses, worms, trojan horses and other forms of malware

For what application is SSL/TLS mostly used

Web applications because SSL/TLS is built into every webserver and browser today, so protection can be added at a negligible cost

cryptographic system

a bundle of protections that work automatically, including initial authentication, message by message protection for authentication, integrity, and confidentiality

In digital certificate authentication, the verifier sends this to a supplicant claiming to be the true party:

a challenge message

vulnerability

a flaw in a program that permits a specific attack or set of attacks against this program to succeed

personal identification number (PIN)

a form of authentication whereby the user supplies a number (4-6 digits) that only he or she knows

malware

a general term for evil, malicious software, such as spyware, computer viruses, and worms

script

a group of commands written in a simplified programming language, usually JavaScript. Executes when a webpage loads or the user takes a particular action.

password dictionaries typically have three types of entries

a list of common passwords, the words in standard dictionaries, and hybrid versions of these words (with capitalization or special characters added)

SPI firewalls only make a decision whether or not to pass:

a packet for non-connection opening attempts. It does not have to make a decision about the entire connection as it does in connection opening attempts

firewall

a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.

spear phishing

a phishing expedition in which the emails are carefully designed to target a particular person or organization

Firewalls pass all attack packets, even if they are suspicious, as long as they are not

a provable attack packet

Challenge message

a random bit string

exhaustive search

a search that continues until the test item is compared with all items in the memory set

How did attackers exfiltrate data from the Target network?

Data was collected at the POS terminal and sent to both the legitimate target servers, but also to a holding server for storing the data temporarily. The attackers then compromised another server that would deliver the data to the attackers outside of the Target network

Command control server

a server that in a distributed denial of services attack (DDos) is used to receive orders and sends the attack command to bots in a bot net. Makes the botmaster difficult to identify

patch

a small program designed to fix a security vulnerability

Advanced Persistent Threat (APT)

a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments

certificate authority (CA)

a trusted organization that can vouch for the authenticity of the person or organization using authentication, distributes the public key of a person in a document

supplicant

a user that is trying to prove his or her identity in authentication

host to host virtual private network (VPN)

addresses a lack of security through communication with cryptographic protections

if a packet is not a provable attack packet, the firewall will

allow it to pass

Electronic signatures provide message integrity by:

allowing the receiver to detect if the packet is altered by an attacker while the packet is in transit

Behavioral patterns

an analysis of what the program is attempting to do (e.g. reformat the hard drive - an undeniable indication of malware)

Explain "advanced" in advanced persistent threats (APT)

attackers use extremely advanced techniques that often begin with a highly targeted spear phishing attack

Explain "persistence" in the context of advanced persistent threats (APT)

attacks are usually long term that can last weeks, months and even years

The issue for hacking is

authorization (which goes beyond finding a user name and password left somewhere negligently. this is not authorization)

why is facial recognition controversial

because it can be done surreptitiously (without the supplicant's knowledge) and that raises privacy issues

why do users not have to worry about the details of cryptographic processes when they are using a VPN

because the VPNs always use a cryptographic system, which is a bundle of protections that work automatically

iris recognition

biometric system; compares iris color patterns to database. expensive but precise and difficult to deceive

What is the person who controls a collection of compromised computers called?

bot master

What is a collection of compromised computers called?

botnet

Which programs directly attack the victim in a distributed denial of service (DDoS) attack?

bots

complex passwords can only be cracked by a

brute force attack

What type of adversary are most hackers today?

career criminals that hack for money

what type of organization will provide a verifier with the true party's digital certificate

certificate authority (CA)

spyware trojans

collect sensitive data and send the data to an attacker

botnet

collection of captured bot computers used in a distributed denial of service (DDoS) attack

To what computer does an attacker (bot master) send messages?

command control server

Good passwords have two characteristics

complex (have a mix of upper and lower case letters, no regular pattern, include non-letter characters), and long (between 8-12 characters)

propagation vectors

computer-to-computer transmission methods

SSL/TLS

cryptographic protocols that provide communications security over a computer network

provable attack packet

data identified as malicious by firewall -- and then discarded

Application awareness

deep inspection gives next generation firewalls the ability to identify the type of application that created a particular stream of messages and permits the firewall to execute pass/drop rules based on application policies

Functionality found in Next Generational Firewalls (NGFW)

deep inspection, application awareness, intrusion detection system functionality, intrusion prevention functionality, reputation management, NAT and VPN traversal and wire speed operation

An electronic signature allows the receiver to:

detect a message added to the dialogue by an imposter

contains the public key and other identification information of a user.

digital certificate

what electronic document contains the true party's public key?

digital certificate

strongest method of authentication

digital certificate authentication

if a packet is a provable attack packet, the firewall will

discard it

Advanced Encryption Standard (AES)

dominant symmetric key encryption cipher in use today

Reputation Management

External services that compile lists of websites and other resources with very good reputations (white lists) and very bad reputations (blacklists). These lists can be used to inform decisions about packets to and from these sites

Typical propagation vectors (worms)

email attachments, visits to websites (even legitimate ones), social networking sites, many others (USB RAM sticks, peer to peer filing sharing, etc.). These require human gullibility, which is widespread but slow

Next-Generation Firewalls

Firewalls that use deep inspection, examines all fields in the internet and transport layer, examines transport layer content (including reassembling application messages from multiple segments)

Which employees are the most dangerous if they become an attacker/hacker?

IT and security employees because they already have access, know the systems, know how to avoid detection, and are trusted by the organization

Encryption for confidentiality

encrypting messages so that if an eavesdropper intercepts a message, he or she will not be able to read it. The sender uses a cipher to create the message and the receiver decrypts the message in order to read it

What three protections does cryptographic systems provide to every packet?

encryption for confidentiality provides message by message confidentiality, electronic signatures provide message by message authentication and message integrity

In digital certificate authentication, what does the supplicant do?

encrypts the challenge message using their private key and sends the response message to the verifier

default rule (in an access control list)

ensures that unless a packet is explicitly allowed by an earlier rule, it is dropped and logged

approved connections table

In SPI, a connection is added to this if it is permitted by SPI. Each connection has a row containing the IP address and port number of the internal host (internal socket) and the IP address and port number of the external host (external socket) for each connection

career criminal hackers

In security, an attacker who is primarily interested in making money from security breaches.

Hacking

Intentionally accesses a computer without authorization or exceeds authorized access. I

Intrusion Prevention System (IPS)

Intrusion detection systems (IDSs) that drop packets that are suspicious but for which there is a confidence that they are attacks

How does a trojan horse differ from viruses, worms, and mobile code?

It cannot spread from one computer to another by itself. It must be placed there by another piece of malware, by a human attacker, or by downloading the program voluntarily

Stateful packet inspections (SPI) firewalls are inexpensive overall because:

It focuses on packets that are attempting to open a connection (<= 1% of packets) and uses less processing power for packets that are not attempting to open a connection (>= 99%) of all packets

In SPI, if a packet is not attempting to open a connection and it is not part of an approved connection

It must be spurious, and it is dropped and logged

What are the most frequent types of attacks on companies?

Malware attacks

downloaders

Malware that downloads and installs another program on the computer

Why is signature detection not sufficient for an antivirus program?

Many malware programs mutate, changing their signatures. Also, there are now too many malware programs to test for all malware signatures

What two protections do electronic signatures provide?

Message by message authentication and message integrity

What resources can hackers purchase and sell over the internet?

exploit programs with slick interfaces and prepaid annual updates, credit card information and identity information

Deep inspection

Next generation firewalls most fundamental function. Looks at everything in the packet, including the application message segment and all fields in the IP header and the TCP or UDP header. Also reassembles packet streams to read application messages

ingress filtering

filtering packets arriving at a network from the outside

Stateful Packet Inspection (SPI)

firewall filtering mechanism that treats different types of packets differently, spending more resources on the riskiest packets and less on the least risky

what is VPN traversal?

firewalls allow VPN traffic to traverse them without filtering (tradeoff between encryption security and filtering security)

Is it generally illegal to write malware in the United States?

No, it not illegal to write malware but it is illegal to release the malware to do damage or to sell the malware to be used in that way

Does a firewall drop a packet if it probably is an attack packet?

No. It only drops provable attack packets

Are Bots limited to DDoS attacks?

No. They are general-purpose exploitation programs the botmaster can remotely update with new capabilities after installation

Are scripts normally bad?

No. scripts are normally benign but may be damaging if the browser has a vulnerability

Does all malware have a payload?

No; however, even malware without payloads can do damage such as cause a computer to run slowly or crash

Cons of reusable passwords

Often weak (easy to crack)

public key

One of the keys used in asymmetric encryption systems. It is widely distributed and available to everyone.

What gives bots flexibility?

Payloads allow bots to be upgraded remotely by hackers enhancing its capabilities

payloads

Pieces of code that do damage

Cyberwar/cyberterrorism

Politically motivated attacks designed to compromise the electronic infrastructure of an enemy nation and disrupt its economy.

Trojan HOrses

Programs that come into a computer system disguised as something else

Why may employees, ex-employees, and other insiders become attackers?

Revenge or theft

The most common cryptographic system for browser-webserver VPNs is:

SSL/TLS (Secure Socket Layer and Transport Layer Security)

SSL/TLS is an attractive cryptographic system for webservers because:

SSL/TLS is built into every webserver and browser today, so the cost of adding SSL/TLS protection is negligible

Mobile code on webpages

Scripts. HTML webpages can contain scripts called mobile code because they are downloaded with the webpage

How does security thinking differ from network thinking?

Security thinking anticipates the actions of intelligent adversaries who will try to many things to succeed and adapt to the defenses you put in place. Network thinking focuses on adequate planning, software bugs, and mechanical breakdowns.

Symmetric Key Encryption

Sender and receiver use single, shared key

In digital certificate authentication, what does the verifier do?

Sends a supplicant a challenge message, receives the response message (the challenge message encrypted with the supplicant's private key), obtains the true party's public key, decrypts the response message using the true party's public key to see if the response produces the original challenge message

Wire-speed operations

firewalls can receive and process traffic at the full speed of the lines coming into them. they do this by relying on application specific integrated circuits that can process NGFW more quickly

Most Denial of Service (DoS) attacks involve

flooding victim computers with attack packets - a distributed DoS attack

Intrusion Detection System (IDS)

focus specifically on identifying suspicious transmissions and log them for firewall administrators to examine. If the threat appears to be very serious, the IDS sends an alarm to firewall administrators. Can also produce false alarms that can dull vigilance

old school hackers

hackers driven by curiosity, a desire for power, and peer reputation

Dictionary attacks

hackers run through the password dictionary to see if a password is accepted for a username to break into a host

Social Engineering

hackers use their social skills to trick people into revealing access credentials or other valuable information (such as open email attachments or visit websites)

To prove its claim to being the true party, the supplicant encrypts the challenge message using

his or her private key

What protection does confidentiality provide?

if an eavesdropper intercepts a message, he or she will not be able to read it

true party

in digital certificate authentication, the supplicant first claims to be the true party

why are passwords widely used

inexpensive because they are built into operating systems and they are easy to use (users are familiar with them)

In SPI, if a packet is part of an established connection (in the access connections table)

it is passed without further inspection

directly propagating worm

jumps to victim hosts directly, no action is required on the part of the victim, target hosts must have a specific vulnerability for this to succeed. Can spread with amazing speed.

Limitations to stateful packet inspection (SPI) firewalls

limited to primarily examining socket date (IP address and port number), cannot detect what applications are actually using port 80, and cannot identify problems in streams of packets

password dictionaries

lists of passwords likely to succeed for a hacker to access a host

keys

long strings of bits

what types of passwords can only be broken into by brute force attacks

long, complex passwords

virus

malware that attaches itself to another program

worms

malware that is a stand-alone program that doesn't need to attach itself to another program

Cyberwar is conducted by

national governments

Can a password that can be broken into by a dictionary attack be adequately strong if it is very long

no password that is in a cracker dictionary is adequately strong, no matter how long it is

passwords are only useful for

nonsensitive assets

What kind of TCP packets attempt to open a connection

only packets with SYN segments

States for stateful packet inspection firewall filtering

opening a connection and ongoing communication

vendors release this to close vulnerabilities

patch

weakness of long and complex passwords

people often write them down

access cards

permit door access, can be used for computer access

egress filtering is done to:

prevent sensitive corporate information from being transmitted outside the firm

credentials

proof of identity

Authentication

proving a sender's identity

digital certificate

public key of a person in a document, distributed by a certificate authority (CA)

application specific integrated circuits

purpose-built computer chips that can process NGFW functions far more quickly than traditional firewalls

The challenge of creating next generation firewalls

require extremely large amount of processing power, but at the same time they must delay traffic

two factor authenticiation

requires two credentials for authentication. increases the strength of authentication

The most common authentication credential

reusable password

The weakest form of authentication

reusable password

proximity access cards

same as access cards, but don't need to swipe to gain access

Antivirus programs use what to detect malware?

signature detection and behavioral detection

what types of passwords are susceptible to dictionary attacks

simple passwords - common passwords, words in standard dictionaries, and hybrids of these things

Electronic signatures

small bit strings that provide message-by-message authentication

distinguish between social engineering in general and phishing

social engineering attacks generally try to trick the victim into doing something against personal or organization interests, phishing uses authentic looking emails and sites to do this

Most firewalls today use this firewall filtering mechanism

stateful packet inspection (SPI)

reusable password

string of characters user types to gain access to resources associated with a user name. Can be used repeatedly so it is reusable. It is also the weakest form of authentication, so it is appropriate only for the least sensitive assets

why must authentication be appropriate for risks to be an asset

strong authentication is expensive and often inconvenient so it is most appropriate for strong authentication to be used for very sensitive information. For relatively non-sensitive data, weaker but less expensive authentication methods may be sufficient

Cyberterror attacks are conducted by

terrorists

Stateful packet inspection (SPI) states and filtering intensity

the SPI firewall filtering focuses resources on the connection opening attempt (the riskiest state) and less on the ongoing communication (which is less risky)

firewall log file

the firewall copies information about each discarded packet in order to understand the types of attacks coming against the resources that the firewall is protecting

cipher

the generic term for a technique (or algorithm) that performs encryption

Denial of service (DoS) attacks

the goal is to make a computer or entire network unavailable to its legitimate users

firewall filtering mechanisms

the methods used by firewalls to examine packets to see if they are attack packets

SPI firewalls focus on which state?

the most risky - the opening state (versus the ongoing state)

verifier

the party requiring a supplicant to prove his or her identity in authentication

brute force attack

the password cracker tries every possible combination of characters

In digital certificate authentication, does the verifier decrypt with the true party's public key or the supplicant's public key?

the true party's private key

biometics

the use of body measurements to authenticate you

cryptography

the use of mathematical operations to protect messages traveling between parties or stored on a computer

after propagation, viruses and worms execute:

their payloads. Payloads are malicious code that does damage such as erase hard disks or send users to porn sites when they mistype urls

Both firewalls and antivirus programs attempt to stop attacks, but:

they work at different levels. Firewalls work at the level of packets and groups of packets. Antivirus programs examine entire files.

What is the purpose of a denial of service (DoS) attack?

to make a computer or entire network unavailable to its legitimate users

exploit

to take advantage of; the act of breaking into a computer; the piece of software or procedure (or a combination) that is used to take over the host by sending exploit packets

why is it important to read firewall logs daily

to understand the types of attacks coming against the resources that firewalls are protecting

NAT and VPN traversal

traditional firewall functionality. VPN traversal passes encrypted traffic without inspection.

phishing attacks

type of social engineering attack that uses legitimate-looking e-mails or Web sites created in an attempt to obtain confidential data about a person

spam

unsolicited commercial email

Virtual Private Network (VPN)

uses the internet to create the appearance of private, secure connections

The earliest pieces of malware were?

viruses and worms

What is the name given to a vulnerability specific attack that occurs before a patch is available?

zero-day attack

Why are scripts call mobile code?

Because they travel with the downloaded webpage from the webserver to the browser

How did attackers gain access to Target's network?

Stole credentials from a Target vendor, likely from a spear fishing email to a vendor employee that tricked him or her into loading malware onto his or her machine. The attacker used the credentials to get access to the vendor servicer and used this to move more deeply into the Target network.

AES supports multiple strong key lengths up to:

256 bits

Why are cyberwar and cyberterror attacks especially dangerous?

3 reasons. (1)funding allows them to be extremely sophisticated; (2) they focus on doing damage instead of committing thefts; (3) they are likely to be directed against many targets simultaneously for massive damage

Hacking attacks typically take place in two stages:

(1) The exploit (code, software, procedure or a combination that an attacker uses to take over the host by sending exploit packets. also means the act of breaking into a computer) and (2) after the break in (manually exploits the resource or leaves a trojan horse behind for continuous automated exploitation)

surreptitious

(adj.) stealthy, secret, intended to escape observation; made or accomplished by fraud

In two-way dialogues using symmetric key encryption, how many keys are used for encryption and decryption?

1

Benefits of reusable passwords

1. Ease of use for users (familiar) 2. Inexpensive because they are built into operating systems.

Steps for digital certificate authentication

1. the supplicant claims to be the true party. 2. the verifier tests the claim by sending the supplicant a challenge message. 3. the supplicant encrypts the challenge message using his or her private key and sends the response message to the verifier. 4. the verifier gets the supplicant's digital certificate containing the true party's public key) 5. the verifier decrypts the message using the true party's public key. if the message contains the original challenge message, the supplicant is verified as the true party. NOTE: the verifier uses the public key of the true party, not the supplicant's public key

To be considered strong, keys have to be at least how long?

100 bits

Anti-virus signature detection

AV programs look for malware signatures - snippets of code that indicate specific malware programs

What were the steps take by the attackers in the Target breach?

Stole credentials from a Target vendor, likely from a spear fishing email to a vendor employee that tricked him or her into loading malware onto his or her machine. The attacker used the credentials to get access to the vendor servicer and used this to move more deeply into the Target network. The attacker uploaded POS malware purchased from an online crimeware shop to a malware download shop within Target. The malware was downloaded to POS systems and the malware collected magnetic stripe data from card swipes and sent it to the attackers as well as to the legitimate Target server. The attackers then sold the stolen data to counterfeiters.

egress filtering

The practice of monitoring and potentially restricting the flow of information outbound from one network to another

private key

The secret portion of an asymmetric key pair typically used to decrypt or digitally sign data. The private key is never shared and is always used for decryption, with one notable exception: The private key is used to encrypt the digital signature.

response message (in digital certificate authentication)

The supplicant encrypts the challenge message with his or her private key and sends itto the verifier

List the internal Target servers the attackers compromised

The vendor server, the malware download server (the internal target server that downloaded updates to POS systems), the holding server (server where data from POS terminals was stored temporarily); the Extrusion server (another servers that was used to deliver the data to attackers outside the Target network)

What is a problem with stateful packet inspection (SPI) firewalls?

They only look at IP addresses and port numbers in their rules. They do not look at everything in the packet, including at the application messages that are delivered

Why is two-factor authentication desirable?

Two factor authentication increases the strength of authentication. You will need two authentication rather than one

What is the biggest challenge with patches?

Users do not always install patches promptly or at all so they continue to be vulnerabilty

credit card number theft

Uses stolen credit card numbers in unauthorized transactions