CCNA Security Chapter 1
Hard Copy
Corporate data should be disposed of thoroughly. For example, confidential data should be shredded when no longer required. Otherwise, a thief could retrieve discarded reports and gain valuable information.
Hosts
End points are secured using various features including antivirus and antimalware software, Host Intrusion Protection System features, and 802.1X authentication features.
Password attack
Hackers attempt to discover critical system passwords using various methods, such as social engineering, dictionary attacks, brute-force attacks, or network sniffing. Brute-force attacks involve repeated attempts using tools such as Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.
Spam
Hackers may use spam email to trick a user to click an infected link or download an infected file.
Compromised Key Attack
If a hacker obtains a secret key, it can be used to gain access to a secured communication without the sender or receiver being aware of the attack.
Password Based Attacks
If hackers discover a valid user account, the attackers have the same rights as the real user. Hackers could use that valid account to obtain lists of other users and network information. They could also change server and network configurations, modify, reroute, or delete data.
Data Modification Attack
If hackers have captured enterprise traffic, they can alter the data in the packet without the knowledge of the sender or receiver.
Smurf Attack
In this legacy attack, a hacker sent a large number of ICMP requests to various recipients. Using multiple recipients amplified the attack. In addition, the packet source address contained a spoofed IP address of an intended target. This was a type of reflection attack because the echo replies would all be reflected back to the targeted host in an attempt to overwhelm it. These attacks are mitigated with the no ip directed-broadcast command, which is a default interface setting, as of Cisco IOS version 12.0.
Ping of Death
In this legacy attack, the attacker sent a ping which was an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. The receiving host would not be able to handle a packet of that size and it would crash.
TCP SYN Flood Attack
In this type of attack, a hacker sends many session request packets with a spoofed source IP address to an intended target. The target device replies with a SYN-ACK packet to the spoofed IP address and waits for a ACK packet. However, the responses never arrive, and the target hosts are overwhelmed with TCP half-open connections.
Data Wipe
Lost or stolen devices can be remotely fully or partially erased, either by the user or by an administrator via the MDM.
Data Encryption
Most devices have built-in encryption capabilities, both at the device and file level. MDM features can ensure that only devices that support this and have it enabled can access the network and corporate content.
Password Crackers
Often referred to as password recovery tools and can be used to crack or recover the password. This is accomplished either by removing the original password, after bypassing the data encryption, or by outright discovery of the password. These repeatedly make guesses in order to crack the password and access the system. Examples include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.
Removable Media
One risk is that an employee could perform an unauthorized transfer of data to a USB drive. Another risk is that a USB drive containing valuable corporate data could be lost.
Improper Access Control
Passwords are the first line of defense. Stolen passwords or weak passwords which have been compromised can provide an attacker easy access to corporate data.
Phishing
Phishing is when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source. The message intends to trick the recipient into installing malware on their device, or into sharing personal or financial information.
Cloud Storage Devices
Saving data here has many potential benefits. However, sensitive data can be lost if access to this is compromised due to weak security settings.
VPN (Virtual Private Network)
The Cisco ISR is secured. It protects data in motion that is flowing from the CAN to the outside world by establishing this. These ensure data confidentiality and integrity from authenticated sources.
Man-in-the-middle attack
The hacker is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties.
Email/Social Engineering
The most common vector for data loss includes instant messaging software and social media sites. For instance, intercepted email or IM messages could be captured and reveal confidential information.
Script Kiddies
The term emerged in the 1990s and refers to teenagers or inexperienced hackers running existing scripts, tools, and exploits, to cause harm, but typically not for profit.
Layer 2 Switches
These access layer switches are secured and connect user facing ports to the network. Several different security features can be implemented, such as port security, DHCP snooping, and 802.1X user authentication.
Cyber Criminals
These are black hat hackers who are either self-employed or working for large cybercrime organizations. Each year, they are responsible for stealing billions of dollars from consumers and businesses.
White Hat Hacker
These are ethical people who use their programming skills for good, ethical, and legal purposes. They may perform network penetration tests in an attempt to compromise networks and systems by using their knowledge of computer security systems to discover network vulnerabilities.
Hacktivist
These are grey hat hackers who rally and protest against different political and social ideas. They publicly protest against organizations or governments by posting articles, videos, leaking sensitive information, and performing distributed denial of service (DDoS) attacks.
Grey Hat Hacker
These are individuals who commit crimes and do arguably unethical things, but not for personal gain or to cause damage. An example would be someone who compromises a network without permission and then discloses the vulnerability publicly. They may disclose a vulnerability to the affected organization after having compromised their network allowing the organization to fix the problem.
Hacking Operating Systems
These are specially designed operating systems preloaded with tools and technologies optimized for hacking. Examples include Kali Linux, SELinux, Knoppix, BackBox Linux.
Black Hat Hacker
These are unethical criminals who violate computer and network security for personal gain, or for malicious reasons, such as attacking networks. They exploit vulnerabilities to compromise computer and network systems.
Vulnerability Broker
These are usually grey hat hackers who attempt to discover exploits and report them to vendors, sometimes for prizes or rewards.
Layer 3 Switches
These distribution layer devices are secured and provide secure redundant trunk connections to the Layer 2 switches. Several different security features can be implemented, such as ACLs, DHCP snooping, Dynamic ARP Inspection (DAI), and IP source guard.
Debuggers
These tools are used by black hats to reverse engineer binary files when writing exploits. They are also used by white hats when analyzing malware. Examples include GDB, WinDbg, IDA Pro, and Immunity Debugger.
Packet Sniffers
These tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs. Examples include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.
Packet Crafting Tools
These tools are used to probe and test a firewall's robustness using specially crafted forged packets. Examples include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.
Vulnerability Exploitation Tools
These tools identify whether a remote host is vulnerable to a security attack. Examples include Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.
Encryption Tools
These tools safeguard the contents of an organization's data at rest and data in motion. Encryption tools use algorithm schemes to encode the data to prevent unauthorized access to the encrypted data. Examples include VeraCrypt, CipherShed, OpenSHH, OpenSSL, Tor, OpenVPN, and Stunnel.
Vulnerability Exploitation Scanners
These tools scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of tools include Nipper, Secunia PSI, Core Impact, Nessus v6, SAINT, and Open VAS.
Layer 2 Switch
This access layer switch is hardened and connects user-facing ports using port security to the SOHO network.
Man in the Middle Attack
This attack occurs when hackers have positioned themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently.
DoS (Denial of Service) Attack
This attack prevents normal use of a computer or network by valid users. After gaining access to your network, the attack can crash applications or network services. This attack can also flood a computer or the entire network with traffic until a shutdown occurs because of the overload. This attack can also block traffic, which results in a loss of access to network resources by authorized users.
Wireless Router
This consumer-grade device provides integrated firewall features and secure wireless connections.
Antivirus Storm
This happens when all VMs attempt to download antivirus data files at the same time.
Rootkit Detector
This is a directory and file integrity checker used by white hats to detect installed root kits. Examples include AIDE, Netfilter, and PF: OpenBSD Packet Filter.
SOHO Site
This is a small branch site that connects to the corporate main site using a Cisco wireless router. The wireless router can establish a permanent always-on VPN connection to the main site ASA. Alternatively, the internal users could use the Cisco Anyconnect VPN client to establish a secure VPN connection to the main site ASA.
Spear phishing
This is a targeted phishing attack tailored for a specific individual or organization.
Mobile Worker
This is a teleworker that can use the Cisco Anyconnect VPN client to establish a secure VPN connection to the main site ASA.
Sniffer Attack
This is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, this provides a full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted and the attacker does not have access to the key.
Vulnerability
This is defined as a weakness or flaw in the network. The vulnerability can be exploited by an attacker to negatively impact a network, or to access confidential data within an organization. Sources of network vulnerabilities include weak and unsecure network protocols, configuration errors, or weak security policies.
Regional Site
This is larger than a branch site and connects to the corporate main site using an ASA. The ASA can establish a permanent always-on VPN connection to the main site ASA.
Mitigation
This is the action of reducing the severity of the vulnerability. Network security involves multiple techniques to do this.
PIN Enforcement
This is the first and most effective step in preventing unauthorized access to a device. Furthermore, strong password policies can also be enforced by an MDM, reducing the likelihood of brute-force attacks.
Threat
This is the potential for a vulnerability to turn into a network attack. These include malware, exploits, and more.
Risk
This is the potential of a threat to exploit the vulnerabilities of an asset in order to negatively affect an organization. This is measured using the probability of the occurence of an event and its consequence.
Pretexting
This is when a hacker calls an individual and lies to them in an attempt to gain access to privileged data. An example involves an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient.
Eavesdropping Attack
This is when a hacker captures and "listens" to network traffic. Also referred to as sniffing or snooping.
Buffer overflow
This is when a hacker exploits the buffer memory and overwhelms it with unexpected values. This usually renders the system inoperable, creating a DoS attack. It is estimated that one third of malicious attacks are the result of these overflows.
Baiting
This is when a hacker leaves a malware infected physical device, such as a USB flash drive in a public location such as a corporate washroom. The finder finds the device and loads it onto their computer, unintentionally installing the malware.
Tailgating
This is when a hacker quickly follows an authorized person into a secure location. The hacker then has access to a secure area.
Something for Something (Quid pro quo)
This is when a hacker requests personal information from a party in exchange for something like a free gift.
Port redirection
This is when a hacker uses a compromised system as a base for attacks against other targets.
Phishing
This malware attempts to convince people to divulge sensitive information. Examples include receiving an email from their bank asking users to divulge their account and PIN numbers.
Ransomware
This malware denies access to the infected computer system. The ransomware then demands a paid ransom for the restriction to be removed.
Scareware
This malware includes scam software which uses social engineering to shock or induce anxiety by creating the perception of a threat. It is generally directed at an unsuspecting user.
Rootkits
This malware is installed on a compromised system. After it is installed, it continues to hide its intrusion and maintain privileged access to the hacker.
Spyware
This malware is used to gather information about a user and send the information to another entity, without the user's consent. Spyware can be classified as a system monitor, Trojan horse, Adware, Tracking cookies, and key loggers.
Adware
This malware typically displays annoying pop-ups to generate revenue for its author. The malware may analyze user interests by tracking the websites visited. It can then send pop-up advertising pertinent to those sites.
Branch Site
This site connects to the corporate main site using a hardened ISR. The ISR can establish a permanent always-on VPN connection to the main site ASA.
Wireless Hacking Tools
Used to intentionally hack into a wireless network to detect security vulnerabilities. Examples include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.
Visibility Solutions
Visibility solutions are provided using software such as the Cisco Security Manager which help simplify operations and compliance reporting.
Instant on Activation
When a VM that has not been used for a period of time is brought online, it may have outdated security policies that deviate from the baseline security and can introduce security vulnerabilities.
Computer Emergency Response Team (CERT)
a U.S. federally funded initiative chartered to work with the Internet community in detecting and resolving computer security incidents. Their Coordination Center coordinates communication among experts during security emergencies to help prevent future incidents. It also responds to major security incidents and analyzes product vulnerabilities. It manages changes relating to progressive intruder techniques and to the difficulty of detecting attacks and catching attackers. It also develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of services.
Jail Breaking/Root Detection
a means to bypass the management of a device. MDM features can detect such bypasses and immediately restrict a device's access to the network or other corporate assets.
Zombie Computers
compromised computers that are controlled by handler systems.
CAN (Campus Area Network)
consists of interconnected LANs within a limited geographic area.
IPS (Cisco Intrusion Prevention System)
device continuously monitors incoming and outgoing network traffic for malicious activity. It logs information about the activity, and attempts to block and report it.
State Sponsored
either white hat or black hat hackers who steal government secrets, gather intelligence, and sabotage networks. Their targets are foreign governments, terrorist groups, and corporations. Most countries in the world participate in this.
ASA (Cisco Adaptive Security Appliance)
firewall performs stateful packet filtering to filter return traffic from the outside network into the campus network.
Reconnaissance
information gathering. It is analogous to a thief surveying a neighborhood by going door-to-door pretending to sell something.
The Mitre Corporation
maintains a list of common vulnerabilities and exposures (CVE) used by prominent security organizations.
Virus
malicious code that is attached to executable files which are often legitimate programs. Most require end user activation and can lay dormant for an extended period and then activate at a specific time or date.
Trojan Horse
malware that carries out malicious operations under the guise of a desired function. It comes with malicious code hidden inside of it which exploits the privileges of the user that runs it. Often, they are found attached to online games.
DLP (Data Loss Prevention)
prevents authorized users from doing careless or malicious things with critical data.
ESA/WSA (Email Security Appliance and Web Security Appliance)
provide advanced threat defense, application visibility and control, reporting, and secure mobility to secure and control email and web traffic.
Worms
replicate themselves by independently exploiting vulnerabilities in networks. Usually slow down networks. Whereas a virus requires a host program to run, these can run by themselves. Other than the initial infection, they no longer require user participation. After a host is infected, these are able to spread very quickly over the network.
SysAdmin, Audit, Network, Security (SANS) Institute
resources are largely free upon request and include the popular Internet Storm Center, the Internet's early warning system, NewsBites, the weekly news digest, @RISK, the weekly vulnerability digest, flash security alerts, and more than 1,200 award-winning, original research papers. SANS also develops security courses.
Cloud Computing
separates the application from the hardware. Consists of physical and virtual servers which are commonly housed in data centers, increasingly using virtual machines (VM) to provide server services to their clients.
AAA Server
server authenticates users, authorizes what they are allowed to do, and tracks what they are doing.
Distributed DoS Attack (DDoS)
similar in intent to a DoS attack, except that this attack increases in magnitude because it originates from multiple, coordinated sources. These attacks also introduce new terms such as botnet, handler systems, and zombie computers.
Virtualization
the foundation of Cloud computing. Without it, Cloud computing, as it is most-widely implemented, would not be possible. This separates the OS from the hardware. Takes advantage of idle resources and consolidates the number of required servers.
Wireless Hose
these connect to the wireless network using Wireless Protected Access 2 (WPA2) data encryption technology. They typically have antivirus and antimalware software installed.
Fuzzers
tools used by hackers when attempting to discover a computer system's security vulnerabilities. Examples include Skipfish, Wapiti, and W3af.
Forensice Tools
used by white hat hackers to sniff out any trace of evidence existing in a particular computer system. Example include Sleuth Kit, Helix, Maltego, and Encase.
Network scanning tools
used to probe network devices, servers, and hosts for open TCP or UDP ports. Examples include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
IP Address Spoofing Attack
A hacker constructs an IP packet that appears to originate from a valid address inside the corporate intranet.
Trust exploitation
A hacker uses unauthorized privileges to gain access to a system, possibly compromising the target.
Botnet
A network of infected hosts.
Unencrypted Data
A stolen corporate laptop typically contains confidential organizational data. If the data is not stored using an encryption algorithm, then the thief can retrieve valuable confidential data.
Secure Segmentation
ASA devices and a Virtual Security Gateway integrated into the Cisco Nexus Series switches are deployed in a data center network to provide secure segmentation. This provides granular inter-virtual-machine security.
Threat Defense
ASAs and IPS devices in data center networks use threat intelligence, passive OS fingerprinting, and reputation and contextual analysis to provide threat defense.
Hyperjacking
An attacker could hijack a VM hypervisor (VM controlling software) and then use it as a launch point to attack other devices on the data center network.
IP, MAC, DHCP Spoofing
Attacks in which one device attempts to pose as another by falsifying data. There are multiple type. For example, when one computer accepts data packets based on the address of another computer.