Chapter 4 Network Security

11. Payloads

1) In security, a piece of code that can be executed by a virus or worm after it has spread to multiple machines. 2) In IPv6, all of the packet after the main packet header.

What are the implications of the fact that bots can be updated?

1. Errors in their operation can be fixed after these flaws are discovered. The software is no longer unfixable after release. 2. Code can be added to repurpose bots for things like transmitting spam. The botnet or a portion of it can then be rented to spammers.

What individual victim or group of individual victims suffered the most harm?

?

How does security thinking differ from network thinking?

A network allows us to share information and resources. It provides the access to almost anything, anywhere and anytime. Similarly, it provides access to the criminals, attackers and terrorist. Hence, network security has become a very serious matter.

What kind of attack may succeed against a system with no technological vulnerabilities?

A phishing attack

Distinguish between phishing and spear phishing attacks.

A phishing attack pretends to be from a company the user does business with or from another seemingly trustworthy source. The text of the e-mail message is also convincing. Using HTML, it may look exactly like e-mail messages the source usually sends. Spear phishing is even more specific. The attacker personalizes the e-mail message to a particular person, such as the chief executive officer of the company. Spear phishing e-mails are even more convincing because they typically appear to come from a specific trusted person and contain information that only that person is likely to know. For example, it may mention specific projects or locations while traveling.

7. Spear Phishing

A phishing attack that is highly focused on an individual. Likely to be extremely convincing because it contains content highly familiar to the intended victim.

8. Virus

A piece of executable code that attaches itself to programs or data files. When the program is executed or the data file opened, the virus spreads to other programs or data files.

10. Trojan Horses

A program that looks like an ordinary system file but continues to exploit the user indefinitely.

What is a vulnerability?

A security flaw in any programing file that allows the one or set of attacks against this programming file to succeed. • The computer user and network owner need to update the security patches to protect from vulnerability.

24. Firewall

A security system that examines each packet passing through it. If the firewall identifies the packet as an attack packet, the firewall discards it and copies information about the discarded packet into a log file.

2. Vulnerability

A security weakness found in software.

19. Two factor authentication

A type of authentication that requires two forms of credentials.

17. Bots

A type of malware that can be upgraded remotely by an attacker to fix errors or to give the malware additional functionality.

Explain "persistent" in the context of APTs.

APT attacks may proceed for weeks, months, or years. This allows the attacker to move through the system, hide its traces, and do other things that take time to accomplish. They can also steal data and do other damage for a long time.6

What should be done before an employee leaves the firm?

All access must be terminated before their leaving.

For what four reasons are employees especially dangerous?

Already have access, Know the systems, Know how to avoid detection, Are trusted

3. Patches

An addition to a program that will close a security vulnerability in that program.

9. Worms

An attack program that propagates on its own by seeking out other computers, jumping to them, and installing itself.

What is a cipher?

An encryption method for achieving confidentiality.

31. Cipher

An encryption method.

__________look at_____________ , and_____________ mostly look at______________. A) Antivirus programs, packets, firewalls, packets B) Antivirus programs, files, firewalls, files C) Antivirus programs, packets, firewalls, files D) Antivirus programs, files, firewalls, packets

Answer: D

Explain why the last rule in an ACL should deny anything not previously approved by

Anything not explicitly permitted in earlier rules will be explicitly denied. This enforces the company's rules.

21. Advanced Persistent Threats (APTs)

Attack occurring over a long period of time. The user employs many advanced methods to get deeper and deeper into the target system.

4. Zero-Day Attack

Attack that takes advantage of a vulnerability for which no patch or other workaround has been released.

16. Botmaster

Attacker who control a botnet.

What two protections do electronic signatures provide?

Authentication and message integrity.

What if this information is learned by an attacker?

Authentication can be done falsely.

18. Digital Certificate Authentication

Authentication in which each user has a public key and a private key. Authentication depends on the applicant knowing the true party's private key; requires a digital certificate to give the true party's public key.

Why must authentication be appropriate for risks to an asset?

Better authentication methods are more expensive. (They also tend to be more inconvenient to use.) Authentication should be strong enough to counter risks to the asset, but it should not be far stronger. If the risks are high, however, using strong authentication is required.

What is the person who controls them called?

Bot master.

What is a collection of compromised computers called?

Botnet.

Which programs directly attack the victim in a distributed denial-of-service attack?

Bots.

What protection does confidentiality provide?

Confidentiality ensures that any eavesdropper who intercepts your messages cannot read them.

What three protections are typically given to each packet?

Confidentiality, authentication, and message integrity.

30. Decrypt

Conversion of encrypted ciphertext into the original plain text so an authorized receiver can read an encrypted message.

What are credentials?

Credentials are proofs of identity (passwords, fingerprints, etc.).

22. Cybercriminals

Criminal who commits crimes using a computer

What are cyberterror and cyberwar attacks?

Cyber attacks by terrorists and nation states.

What type of adversary are most hackers today?

Cybercriminals or "career criminals" who hack to make money.

Why are cyberwar attacks especially dangerous?

Dangerous because they tend to be sophisticated (and well financed) Dangerous because they try to do widespread damage

Why is two-factor authentication desirable?

Each form of authentication faces threats.For two-factor authentication to fail, two threats must succeed. This is less likely in most cases.

What two benefits should this new recommendation bring?

Easier to remember. Also better security because the rule is less likely to be circumvented by users.

In digital certificate authentication, what does the supplicant do?

Encrypts the plaintext challenge message with his, her, or its (the supplicant's) private key.

What three types of attacks may come from your firm's business competitors?

Espionage to steal trade secrets, Denial-of-service attacks, Attack your reputation via social media

Why is it undesirable to use reusable passwords for anything but the least sensitive assets?

Far too many passwords are easily guessable. <The Mirai botnet takeover method tried fewer than 70 username/password combinations but was extremely successful.

25. Stateful Packet Inspection (SPI)

Firewall filtering mechanism that uses different filtering methods in different states of a conversation.

26. Next-Generation Firewall (NGFW)

Firewall that can detect applications, not simply port numbers. Permits much finer control over network traffic

18. Distinguish between what a firewall looks at and what an antivirus program look at.

Firewalls examine packets; antivirus programs examine files.

How did the attackers gain access to Target's network?

First get the credential for accessing the vendor server, now attacker can move inside the network . • Now the attackers uploaded the POS malware which w as purchased from an online crimeware shop, to a malware download server within target. • Now attackers actually took over Target's internal server that have the downloaded updates to the POS systems. • Now the attacker can changed the software to attack the target POS terminal.

Which is more harmful to the victim? (credit card number theft or identity theft.) Why?

For credit card theft, quick reporting of unauthorized purchases will delete these transactions without paying for them. In identity theft, there can be large reimbursed losses, and even discovering these may take as long period of time.

What is malware?

Generic name for evil software. It includes viruses, worms, Trojan horses, and other dangerous attack software.

6. Define hacking

Hacking is intentionally using a computer resource without authorization or in excess of authorization.

Who are the most dangerous employees?

IT employees and security employees

Why must Rule 2 come after Rule 1?

If it came first, Rule 1 would have no use.

Critique (positively or negatively) the fact that Target knew that fraud was already occurring with the stolen card data but did not reveal this when it announced the breach.

If the target is already knew that the fraud is already existing with the stolen card then the card holder need to take the responsible steps against the card provided organization.

If you click on a link expecting to go to a legitimate website but are directed to a website that contains information you are not authorized to see, is that hacking? Explain in terms of the definition.

If you do not look around after going there, then there is no intentionality, so accessing it without authorization is not hacking. <However, the government can still prosecute you, claiming intentionality. Calling law enforcement immediately is a good idea.>

How does the verifier get the true party's public key?

In a digital certificate from a certificate authority (CA).

20. Command and Control Server

In a distributed denial of service attack, an intermediate server to which the botmaster sends commands. The command and control server sends commands to individual bots on compromised hosts.

What is authentication?

In authentication, a supplicant attempts to prove its identity to a verifier by sending credentials. The verifier's mission is to determine if the supplicant is who he, she, or it claims to be (usually a particular True Party.) If the verifier does not, the verifier is treated as an in impostor.

29. True Party

In authentication, the person the supplicant says that he or she is.

Distinguish between credit card number theft and identity theft.

In credit card theft, the cybercriminals steal your credit card number and perhaps related information. They use this to commit credit card fraud by buying things with your credit card. In identity theft, the cybercriminal steals enough personally identifiable information about you to impersonate you in large transactions such as purchasing a car. This includes your birth date, social security number, and other information that should be difficult to obtain (but often is not).

Do IDSs stop packets?

In general principle, they do not. <However, some IDSs can be configured to stop packets if they have high confidence (but less than full certainty) that a packet is an attack packet. DDoS attacks are the most often treated this way. This does increase the risk of deleting legitimate packets.>

Why is signature detection not enough?

In signature detection, the antivirus program looks for signatures (patterns in the code) that characterize a particular piece of malware. Unfortunately, many malware programs change their code constantly, making signature detection unlikely to succeed.

How do NGFWs address this problem?

Instead of using the port number as a proxy for the application's identity, it actually identifies the application by analyzing the messages it sends and receives.

Why is face recognition controversial?

It can be used surreptitiously, without the person's knowledge.

Think of at least two specific examples of how application information can be used to increase security.

It can identify if an application is port spoofing and deny it. It may be able to identify the application as a particular malware program and stop it. This can also alert the company that a particular malware program is present. In both cases, the specific host sending offending application messages is identified.

What does a firewall do when an arriving packet is definitely an attack packet?

It drops it and logs it.

Why is direct propagation especially dangerous?

It happens without victim action. There is no indication that it is occurring. It happens very, very rapidly.

Why may fingerprint recognition be acceptable for user authentication

It is a weak form of authentication, but low-value laptops to a laptop?

Which state needs the most security protection? Why?

It is the connection-opening state, because this is when you authenticate the other party. Also, you exchange secrets that will be used during the connection.

Why is iris recognition desirable?

It is very precise and difficult to deceive, but it is expensive, so it is best for higher-value targets.

Does a firewall drop a packet if it probably is an attack packet?

It passes the packet and does not log it.

What is the difference between the two types of spyware mentioned in the text?

Keystroke loggers record your keystrokes. Data miners search your computer for specific information, such as bank accounts, social security numbers, and passwords

Why are contractor firms more dangerous than other outside firms?

Like employees, they have access, know the systems, know how to avoid detection, and are trusted.

What was the traditional recommendation for passwords?

Make them long (8 to 12 bits, usually) and make them complex, with a combination of uppercase letters, lowercase letters, digits, and keyboard special characters (#^?, etc.). Change them frequently.

What is the U.S. National Institute of Standards and Technology's new recommendation?

Make them very long (passphrases instead of passwords), make them un-guessable, and don't worry about complexity. Do not change them frequently.

What are the most frequent types of attacks on companies?

Malware attacks are the most frequent problems that companies face. Nearly every firm has one or more significant malware compromise each year.

4a.) Payload

Malware delivered by social engineering and/or by exploiting vulnerability in software.

28. Cryptography

Mathematical methods for protecting communication.

Distinguish between what firewalls look at and what antivirus programs look at.

NGFWs only log the packets they drop as if they are identified as definite attack packets. Only IDSs report packets that are highly suspicious; these may also be attacks.

How do they offer a broader picture of the threat environment than NGFWs?

NGFWs only log the packets they drop as if they are identified as definite attack packets. Only IDSs report packets that are highly suspicious; these may also be attacks.

Do all worms spread by direct propagation?

No. Only some.

Who mounts APTs today?

Originally, only nation states. Today, cybercriminals are also addling APTs.

What are payloads?

Payloads are pieces of code that malware executes to do damage.

Distinguish between private networks and virtual private networks.

Private networks are for the exclusive use of an organization. Virtual private networks use physical networks that mix the traffic of many organizations but provide protection to individual conversations so that users appear to have private networks as far as security goes.

What are Trojan horses?

Programs that disguise themselves by taking the name a legitimate program, usually a system program.

27. Credentials

Proof of identity that a supplicant can present during authentication.

What is ransomware?

Ransomware encrypts your hard drive. To get it unencrypted, you must pay ransom.

What can retailers do to defend themselves against counterfeit credit cards?

Retailers can defend themselves against the counterfeit credit cards in one way. If the card having the last four digit same as the physical credit card.

Which form of authentication that we looked at depends on the supplicant proving that it knows something that only the true party should know?

Reusable password and Digital certificate authentication. If an access card must be supplemented by a PIN, knowing the pin would qualify.

Why may ex-employees attack?

Revenge or theft.

In Figure 4-18, explain why Rule 1 brings more security than Rule 2.

Rule 1 limits connections to a single webserver, limiting damage if there is inappropriate access. Rule 2 permits connections to all webservers. This may give access to internal webservers the company does not even know about. This is risky.

When a packet addressed to 60.1.232.89 arrives, what rule will the SPI firewall look at first?

Rule 1.

What type of firewall do most corporations use for their main border firewalls?

SPI firewalls.

Why is SSL/TLS attractive for VPNs to connect browsers to webservers?

SSL/TLS is built into every browser and webserver, so it can simply be turned on with no other cost.

6. Phishing

Social engineering attack that uses an official-looking e-mail message or website.

What is the goal of social engineering?

Social engineering consists of tricking the user into taking an action that compromises security. In some cases, a social engineering attack entices the user to click on a link that will take the victim to a site that asks the person to download a program to view a particular attachment. This downloaded program will actually be malware. In other cases,the e-mail may contain the malware directly, in the form of an attachment.

4b.) Ransomware

Software that encrypts programs and data until a ransom is paid to remove it.

1. Malware

Software that seeks to cause damage.

12. Spyware

Software that sits on a victim's machine and gathers information about the victim.

23. Crimeware

Software used to commit crime. Often built by a third party and sold to the attacker.

Is the supplicant the true party or is the supplicant an impostor?

Sometimes it is the True Party, sometimes an impostor. The whole purpose of authentication is to determine which it is.

What is spyware?

Spyware steals information from your computer and send it to attackers.

32. Cryptanalysts

Study encrypted messages in order to learn encryption keys.

Does the verifier decrypt with the true party's public key or the supplicant's public key? Why is this important?

The True Party's public key. If it used the Supplicant's public key, it would always decrypt the response message correctly whether the supplicant is the True Party or an impostor.

34. Message Integrity

The assurance that a message has not been changed en route; or if a message has been changed, the receiver can tell that it has been changed.

Explain "advanced" in the term advanced persistent threat.

The attack uses sophisticated techniques beyond those of most hacking and other cybercrimes

To what computer does the attacker send messages directly?

The command and control server.

What are the two states in connections for SPI firewalls?

The connection-opening state and the ongoing communication state.

15. Hacking

The intentional use of a computer resource without authorization or in excess of authorization.

What is the definition of hacking?

The intentional use of a computer resource without authorization or in excess of authorization.hack

In encryption for confidentiality, what must be kept secret?

The key (not the cipher itself).

35. Verifier

The party requiring the supplicant to prove his or her identity.

Who is the true party?

The party the supplicant claims to be.

36. Supplicant

The party trying to prove his or her identity.

What characteristic of the true party is used in access card authentication, iris authentication, and digital certificate authentication?

The physical access card and usually a memorized PIN. The supplicant's iris pattern in his or her eye. Knowing the True Party's private key.

33. Authentication

The requirement that someone who requests to use a resource must prove his or her identity.

7b.) What happens in the attack?

The service or network under attack (or its surrounding infrastructure) is overwhelmed with a flood of Internet traffic.

Distinguish between the supplicant and the verifier.

The supplicant is the party attempting to prove its identity, usually as a particular True Party. The verifier appraises the supplicant's credentials. If it is satisfied that the supplicant is who he, she, or it claims to be, the supplicant is verified.

14. Denial of Service (DoS)

The type of attack whose goal is to make a computer or a network unavailable to its users.

What is biometrics?

The use of biological measurements to authenticate you.

13. Biometrics

The use of bodily measurements to identify an applicant.

What does the verifier do?

The verifier decrypts the response message with the True Party's public key. If this recreates the challenge message, then the supplicant must know the True Party's private key and therefore is the True Party because only the True Party should know it.

Why are stateful packet inspection (SPI) firewalls attractive?

They are relatively inexpensive and provide quite strong protection.

What resources can they purchase and sell over the Internet?

They can purchase attack software and the time of expert attackers. They can use crime shops to sell what they have stolen.

How do Trojan horses propagate to computers?

They cannot travel by themselves. They do not mail themselves or propagate directly. They must be placed there by a hacker, another piece of malware, or the users themselves succumbing to social engineering.

Why is this type of attacker extremely dangerous?

They have the resources to procure good attack software and the income to sustain prolonged attacks.

Why are NGFWs more expensive than SPI firewalls? (The answer is not in the text.)

They must capture many packets, reassemble the application messages they contain, and analyze the messages to identify the application. This is a lot of work. An SPI firewall merely looks at port numbers in individual packets.

Why are SPI firewalls limited in their ability to detect attack packets?

They only check port numbers. Well-known port numbers are usually good proxies for applications, but attackers can run another application using a well-known port number. This is port number spoofing. A good example is running an attack program on Port 80, which many SPI firewalls are programmed to pass.

Why are SPI firewalls economical?

They provide strong protection for the critical opening phase. The do not use much processing power per packet during the ongoing communication phase, which is when nearly all packets are sent.

Why are they painful to use?

They tend to generate many false positives, identifying packets as suspicious when they are legitimate. This leads to considerable work investigating "attacks" that actually are legitimate traffic. This is very time consuming and tends to have the same impact as "the boy who cried wolf."

How do viruses and worms propagate using social engineering?

They trick the user into opening an attachment or take some other action that installs them on the system.

How do adversaries often enter the system and then expand to other parts of it?

Though an employee or other insider, such as a contractor. A phishing attack is common.

What is the specific goal of authentication?

To determine if the supplicant is the true party or an impostor.

7a.) What is the purpose of denial of service attacks?

To disrupt normal traffic of a targeted server.

Why are other forms of authentication being created?

To end the use of reusable passwords.

Why is it important to read firewall logs daily?

To find out the types of attacks and volume of attacks you are facing.

What is the purpose of a denial-of-service attack?

To make the resource unavailable to legitimate users.

Why may employees attack?

To steal money and trade secrets they can sell. To take revenge on their employer or ex-employers.

5. Social Engineering

Tricking people into doing something to get around security protections.

If you see a username and password on a sticky note on a monitor, is it hacking if you use this information to log in? Explain in terms of the definition.

Yes it is. You have no authorization to use it.

Distinguish between signature detection and behavioral pattern detection.

Yes, they go beyond viruses to check for many types of malware. The name "antivirus program" was coined when viruses were nearly the only type of malware. it endures, but it is a little misleading. In signature detection, the antivirus program looks for signatures (patterns in the code) that characterize a particular piece of malware. Unfortunately, many malware programs change their code constantly, making signature detection unlikely to succeed. Behavior pattern detection looks at what malware does. In a simple case, if it sees that a piece of code is attempting to reformat the hard drive, it will not accept it.

Are AV programs used to detect more than viruses? Explain.

Yes, they go beyond viruses to check for many types of malware. The name "antivirus program" was coined when viruses were nearly the only type of malware.It endures, but it is a little misleading.

Is it still important not to use the same password at multiple sites?

Yes.

How do you authenticate yourself with an access card?

You swipe it.

You discover that you can get into other e-mail accounts after you have logged in under your account. You spend just a few minutes looking at another user's mail. Is that hacking? Explain in terms of the definition.

You used the resource in excess of your authorization. By looking around, even briefly, you added intentionality. It is hacking.

Why do you think authentication is sometimes required before accepting a connection?

You want to be sure who is requesting a connection. You want to limit access to permitted individuals, not everybody.

4c.) Spyware

a special class of adware that collects data about the user and transmits it over the Internet without the user's knowledge or permission

How can users eliminate vulnerabilities in their programs?

• If vulnerability is find in the program then user needs a patch file. Patch is a small program which is designed to fix the security vulnerability. • Once the user installs the patch, the program would be safe from malware based on that particular vulnerability.

How was Target damaged by the breach?

• In Target breach, one of the victims is the Target itself which can be the cause of the sales falling rate. From the period of breach revelation to February 2014, Target sales fell 5.3% from the previous year and the profit fells 46% which was roughly $500 million. • In addition to this, Target will probably pay several hundred million dollars due to law suits which was brought by the commercial and governmental organizations.

How were retailers damaged by the breach?

• In Target breach, the fraud hit retailers the hardest. The fraudulent merchandise purchases are rarely recovered by the retailers. • Once credit card companies get notification from the consumers about the fraudulent purchases, they do not pay the retailers for those fraudulent purchases. Hence, the retailer faces great money loss.

Were banks and credit card bureaus damaged by the breach?

• No, in target breach banks and credit card bureaus did not suffer much loss of money as Target if the fraudulent purchase loss is reported. • These financial services companies do not pay the retailer stores w here the fraudulent purchases are made as the consumer does not pay them. • Also these financial services companies drop the fraudulent transactions from the consumer's bill, if they are notified quickly by the consumers. These companies only face substantial costs in the replacement of compromised cards.

List the criminal groups, besides the main attackers, who were involved in the overall process.

• Online crime w are shop which sells point-of-sale malware to the attackers. • Online card shops which purchase the batches of card data from the attackers. • Counterfeiters which purchase the card data from online card shop to create fake cards.

How did the attackers exfiltrate the card data?

• The attackers first get the credential to get the access of the network then move to inside the network or internal server that downloads the updates to the POS system. • Now the malware composed the data from every card swiped at POS terminal and sent these data to a compromised holding server. Thus, the attacker's exfiltrate the data from the POS systems.

What benefit did the attackers seek to obtain from their actions?

• The attackers stole the card data from the POS systems and sell them to the online card shops. • Counterfeiters refined their purchases based on the same factors and create the fake card with the same information. • Based on the characteristics of each card, the attackers gain from $20 to more than $100 per card. He need to show the statement which represent that something happening wrong with the card, so the card provider can protect the card information.

How were consumers damaged by the breach?

• The consumer damaged by the breach if they not reported the fraudulent transaction to the company. • Consumers are safe against the fake credit card purchases if they inform quickly to their credit card company about the fraudulent charges on their bills. • The company then will drop these fraudulent transactions from the bills. This process resulted in time loss and frustration.

List the internal Target servers the attackers compromised.

• Vendor Server • Malware Download Server • Holding Server • Extrusion Server • Landing Server

What name do we give to attacks that occur before a patch is available?

• Zero-day attacks are termed as a treats that exploits the unknown type of vulnerability in system and the user have not enough time to address this attack and patched. • It is called the zero day attack because of the fix time for it, is defined only one day and the patches scheme is not available.

How do viruses and worms differ?

1. Virus is a small code which attach themselves to other programs, that is, it requires a host program, that is, it requires fully functional program which operate itself without need of other program. 2. Antivirus programs can stop viruses but not directly propagating worms. 3. Firewalls keep safe systems safe from directly propagating worms but they are unable to stop viruses.

What is the minimum size for encryption keys to be considered strong in most encryption ciphers?

128 bits.