13.1 - 13.8 Network Security
Dumpster diving is a low-tech means of gathering information that may be useful for gaining unauthorized access or as a starting point for more advanced attacks. How can a company reduce the risk associated with dumpster diving? Mandate the use of Integrated Windows Authentication. Secure all terminals with screensaver passwords. Establish and enforce a document destruction policy. Create a strong password policy.
Establish and enforce a document destruction policy. Dumpster diving is best addressed by a document destruction policy. All sensitive documents should be shredded or burned, and employees should be trained on the proper use of disposal equipment and the policies governing the disposal of sensitive information. A strong password policy, authentication types, and screensaver passwords are not enough to prevent the risk associated with dumpster diving. Username and password complexity efforts are wasted if employees document and dispose of this information in an insecure fashion.
Perimeter Barriers
For a secure facility, the first physical security measure is to secure the building perimeter and restrict access to only secure entry points. Methods for securing the perimeter provide multiple functions: > Fences provide an environmental barrier that prevents easy access to the facility. > Barricades prevent vehicles from approaching the facility. > Signs inform individuals that they are entering a secured area. > Lighting deters casual intruders, helps guards to see intruders, and is necessary for most cameras to monitor an area. To be effective, lights should be placed to eliminate shadows or dark spots. > Security guards offer the best protection for perimeter security because they can actively respond to a variety of threat situations. Security guards can also reference an access list that explicitly lists who can enter a secure facility. However, guards are expensive, require training, and can be unreliable or inconsistent.
HTTP (Session) Hijacking
HTTP (session) hijacking is a real-time attack in which the attacker hijacks a legitimate user's cookies and uses the cookies to take over the HTTP session.
Christmas (Xmas) Tree
A Christmas (Xmas) tree attack (also known as Christmas tree scan, nastygram, kamikaze, or lamp test segment) uses an IP packet with every option turned on for the protocol being used. Christmas tree packets can be used to conduct reconnaissance by scanning for open ports and a DoS attack if sent in large numbers.
LAND
A LAND attack is when an attacker floods the victim's system with packets that have forged headers.
Smurf
A Smurf attack is a form of DrDoS attack that spoofs the source address in ICMP packets. A Smurf attack requires an attacker system, an amplification network, and a victim computer or network.
Trojan Horse
A Trojan horse is a malicious program that is disguised as legitimate or desirable software.
Botnet
A botnet refers to a group of zombie computers that are commanded from a central control infrastructure.
Logic Bomb
A logic bomb is designed to execute only under predefined conditions and lies dormant until the predefined condition is met.
Man-in-the-Middle
A man-in-the-middle attack is used to intercept information between two communication partners.
Mantrap
A mantrap is a specialized entrance with two doors that creates a security buffer zone between two areas. Once a person enters into the space between the doors, both doors are locked. To enter the facility, authentication must be provided.
Permanent Denial-of-Service (PDoS)
A permanent denial-of-service (PDoS) is an attack that damages a system so badly that it requires the replacement or re-installation of hardware.
Phishing
A phishing scam is an email pretending to be from a trusted organization that asks a user to verify personal information or send money.
Phishing
A phishing scam is an email pretending to be from a trusted organization, asking to verify personal information or send money. In a phishing attack: > A fraudulent message (that appears to be legitimate) is sent to a target. > The message requests that the target visit a fraudulent website (which also appears to be legitimate). Graphics, links, and websites look almost identical to legitimate requests and websites they are trying to represent. > The fraudulent website requests that the victim provide sensitive information such as the account number and password. Common phishing scams include the following features: > A Rock Phish kit is a fake website that imitates a real website (such as banks, PayPal®, eBay®, and Amazon®). Phishing emails direct you to the fake website to enter account information. A single server can host multiple fake sites using multiple registered DNS names. These sites can be set up and taken down rapidly to avoid detection. > A Nigerian scam, also known as a 419 scam, involves emails that request a small amount of money to help transfer funds from a foreign country. For your assistance, you are to receive a reward for a much larger amount of money that will be sent to you at a later date. > In spear phishing, attackers gather information about the victim, such as identifying which online banks they use. They then send phishing emails that appear to be from the user's bank. > Whaling is another form of phishing that targets senior executives and high-profile victims. > Vishing is similar to phishing. Instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing. To protect against phishing: > Check the actual link destination within emails to verify that they go to the correct URL, not a spoofed one. > Do not click on links in emails. Instead, type the real bank URL into the browser. > Verify that HTTPS is used on e-commerce sites. HTTPS requires a certificate that matches the server name in the URL that is verified by a trusted CA. You can also look for the lock icon to verify that HTTPS is used. > Implement phishing protections within your browser.
Ping Flood
A ping flood is a simple DoS attack where the attacker overwhelms the victim with ICMP Echo Request (ping) packets.
Rootkit
A rootkit is a set of programs that allow attackers to maintain permanent and hidden administrator-level access to a computer.
Virus
A virus is a program that attempts to damage a computer system and replicate itself to other computer systems.
Worm
A worm is a self-replicating program.
Zombie
A zombie is a computer that is infected with malware that allows remote software updates and control through a command and control center called a zombie master.
ARP Spoofing
ARP spoofing (also known as ARP poisoning) uses spoofed ARP messages to associate a different MAC address with an IP address. ARP spoofing can also be used to perform Denial of Service (DoS) attacks by redirecting communications to fake or nonexistent MAC addresses.
Adware
Adware monitors actions that denote personal preferences and then sends pop-ups and ads that match those preferences.
Anti-Passback System
An anti-passback system prevents a card holder from passing their card back to a second person to gain entry into the same controlled area.
Which of the following inter-facility system would prevent an access cardholder from giving their card to someone after they have gained access? Mantrap Anti-passback system Turnstile Double entry door
Anti-passback system An anti-passback system is used when a physical access token is required for entry, and prevents a card holder from passing their card back to someone else. A mantrap is a specialized entrance with two doors that creates a security buffer zone between two areas. Once a person enters into the space between the doors, both doors are locked. To enter the facility, authentication must be provided. This may include visual identification and identification credentials. A turnstile is a barrier that permits entry in only one direction. Turnstiles are often used to permit easy exit from a secure area. Entry is controlled through a mantrap or other system that requires authentication for entry. A double entry door has two doors that are locked from the outside but with crash bars on the inside that allow easy exit. Double entry doors are typically used only for emergency exits, and alarms sound when the doors are opened.
13.1 Physical Security
As you study this section, answer the following questions: > What are some examples of physical security measures you can implement to protect your network? > Which physical control measure uses mantraps, turnstiles, and double-entry doors? > Who can prevent and react to security breaches? > Which type of physical security system establishes controls at each layer to ensure that defeating one level of security does not allow an attacker subsequent access? > What is the difference between an anti-passback system and a motion detector? In this section, you will learn to: > Implement Physical Security. > The key terms for this section include:
13.2 Social Engineering
As you study this section, answer the following questions: > What is social engineering? What is the best defense against social engineering? > What is the difference between piggybacking and tailgating? > How can you verify that a website is using HTTPS? > What is the difference between pretexting and masquerading? > In which type of social engineering attack does an attacker lie about having authority or use their high status in a company to force victims to provide information? In this section, you will learn to: > Respond to social engineering exploits. The key terms for this section include:
13.3 Network Vulnerabilities and Threats 1
As you study this section, answer the following questions: > What is the main goal in a denial of service (DoS) attack? > How do DDoS and DRDoS attacks differ? > What is the difference between a virus and a worm? > In addition to implementing virus scanning software, what must you do to ensure that you are protected from the latest virus variations? > In which type of spoofing are packets intended for the default gateway sent to the attacker instead? > In which type of session attack does the attacker hijack and exploit a user's cookies? In this section, you will learn to: > Perform a UDP Flood Attack. > Perform ARP Poisoning. The key terms for this section include:
What is the primary countermeasure to social engineering? Traffic filters Heavy management oversight A written security policy Awareness
Awareness The primary countermeasure to social engineering is awareness. If users are unaware of the necessity for security in your organization and they are not properly trained to support and provide security, they are vulnerable to numerous social engineering exploits. Awareness training focused on preventing social engineering should include methods for authenticating personnel over the phone, assigning classification levels to information and activities, and educating your personnel on what information should not be distributed over the phone. A written security policy is a countermeasure against social engineering, but without awareness training, it is useless. Heavy management oversight may provide some safeguards that protect users from social engineering, but management is less effective than awareness. Traffic filters are not countermeasures for social engineering because they do not focus on solving the human problem inherent in social engineering attacks.
Closed-Circuit Television (CCTV)
CCTV is a television system in which signals are not publicly distributed but are monitored privately, primarily for surveillance and security purposes.
13.1.4 Practice Questions
CIST 1401
13.2.5 Practice Questions
CIST 1401
Caller ID Spoofing
Caller ID spoofing causes the telephone network to display a number on the recipient's caller ID display that implies that a call is coming from a legitimate source.
Closed-Circuit Television (CCTV)
Closed-circuit television can be used as both a preventative tool (when monitoring live events) or as an investigative tool (when events are recorded for later playback). When CCTV is used in a preventative way, you must have a guard or other person available who monitors one or more cameras. The cameras effectively expand the area that can be monitored by the guard. Video surveillance can detect security breaches, but only guards can prevent and react to security breaches. When choosing a CCTV camera, consider the following features. > Camera specifications: - The resolution is rated in the number of lines included in the image. In general, the higher the resolution number, the sharper the image (e.g., 500 resolution). - The focal length measures the magnification power of a lens. The focal length controls the distance that the camera can see, as well as how much detail can be seen at a specific range. A higher focal length lets you see more detail at a greater distance (e.g., 50 mm). - LUX is a measure of the sensitivity to light. The lower the number, the less light needed for a clear image (e.g., .05 LUX). > Cameras models: - Pan-tilt-zoom (PTZ) cameras allow you to manually control the camera and zoom in on specific areas. Some PTZ cameras have an automatic mode that moves the camera between several preset locations. - Bullet cameras have a built-in lenses and are long and round in shape. Most bullet cameras can be used indoors or outdoors. - C-mount cameras have interchangeable lenses and are typically rectangle in shape with the lens on the end. Most c-mount cameras require a special housing to be used outdoors. - Dome cameras are protected with a plastic or glass dome. These cameras are more vandal-resistant than other cameras. > Camera lenses: - Varifocal lenses allow you to zoom the camera in on a location. - Fixed lenses have a set focal length and are unable to zoom.
You are an IT consultant and are visiting a new client's site to become familiar with their network. As you walk around their facility, you note the following: When you enter the facility, a receptionist greets you and directs you down the hallway to the office manager's cubicle. The receptionist uses a notebook system that is secured to her desk with a cable lock. The office manager informs you that the organization's servers are kept in a locked closet. Only she has the key to the closet. When you arrive on site, you will be required to get the key from her to access the closet. She informs you that server backups are configured to run each night. A rotation of external USB hard disks are used as the backup media. You notice the organization's network switch is kept in an empty cubicle adjacent to the office manager's workspace. You notice that a router/firewall/content filter all-in-one device has been implemented in the server closet to protect the internal network from external attacks. Which security-related recommendations should you make to this client? (Select two.) Replace the USB hard disks used for server backups with a tape drive. Replace the key lock on the server closet with a card reader. Control access to the work area with locking doors and card readers. Use separate dedicated network perimeter security devices instead of an all-in-one device. Relocate the switch to the locked server closet.
Control access to the work area with locking doors and card readers. Relocate the switch to the locked server closet. In this scenario, you should recommend the client make the following changes: Relocate the switch to the locked server closet. Keeping it in a cubicle could allow an attacker to configure port mirroring on the switch and capture network traffic. Control access to the work area with locking doors and card readers. Controlling access to the building is critical for preventing unauthorized people from gaining access to computers. In this scenario, you were able to walk unescorted into the work area without any kind of physical access control other than the receptionist. Because the office manager will control who has access to the server closet key, it isn't necessary to implement a card reader on the server closet door. Using tape drives instead of hard disks wouldn't increase the security of the backups. Using separate perimeter security devices instead of an all-in-one device would be unlikely to increase the security of the network.
Crimeware
Crimeware is designed to facilitate identity theft by gaining access to a user's online financial accounts, such as banks and online retailers.
DoS and DDoS
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks impact system availability by flooding the target system with traffic or requests or by exploiting a system or software flaw.
Which of the following can be used to stop piggybacking from occurring at a front entrance where employees swipe smart cards to gain entry? Install security cameras Use key locks rather than electronic locks Use weight scales Deploy a mantrap
Deploy a mantrap Piggybacking is the activity where an authorized or unauthorized individual gains entry into a secured area by exploiting the credentials of a prior person. Often, the first person will authenticate, unlock the door, and then hold it open for the next person to enter without forcing them to authenticate separately. Piggybacking can be stopped by a mantrap. A mantrap is a single-person room with two doors. It often includes a scale to prevent piggybacking. It requires proper authentication before unlocking the inner door to allow authorized personal into a secured area. Those who fail to properly authenticate are held captive until authorities respond. A security camera may deter piggybacking, but it does not directly stop piggybacking. Using weight scales inside a mantrap will stop piggybacking, but they are not useful or effective without the mantrap. The use of conventional keys as opposed to electronic locks does little to prevent piggybacking and may actually make piggybacking more prevalent.
On your way into the back entrance of the building at work one morning, a man dressed as a plumber asks you to let him in so he can fix the restroom. What should you do? Let him in and help him find the restroom. Then let him work. Let him in. Direct him to the front entrance and instruct him to check in with the receptionist. Tell him no and quickly close the door.
Direct him to the front entrance and instruct him to check in with the receptionist. You should direct him to the front entrance, where he can check in with the proper people at your organization. Letting him in without knowing if he should be there could compromise security. Turning him away would be unprofessional.
Door Locks
Door locks allow access only to those with the proper key. Lock types include: > Pick-resistant locks with restricted key duplication are the most secure key lock. It is important to note that all traditional key locks are vulnerable to lock picking. > Keypad locks require knowledge of a code and reduce the threat of lost keys and cards. Clean keypads frequently to remove indications of buttons used. > Electronic systems often use key cards (or ID badges) instead of keys to allow access - Dumb cards contain limited information. - Smart cards have the ability to encrypt access information. Smart cards can be contact or contactless. Contactless smart cards use the 13.56 MHz frequency to communicate with proximity readers. - Proximity cards, also known as RFID (radio frequency identification) cards, are a subset of smart cards that use the 125 kHz frequency to communicate with proximity readers. Proximity cards differ from smart cards because they are designed to communicate only the card's identity. A smart card can communicate much more information. > Biometric locks increase security by using fingerprints or iris scans. They reduce the threat of lost keys or cards.
Doors
Doors can enhance security if they are properly implemented. There are many types of doors, but three are commonly used for security purposes. > A mantrap is a specialized entrance with two doors that creates a security buffer zone between two areas. - Once a person enters into the space between the doors, both doors are locked. - To enter the facility, authentication must be provided. This may include visual identification and identification credentials. - Mantraps should permit only a single person to enter, and authentication must be provided by each person. - If authentication is not provided, the intruder is kept in the mantrap until authorities arrive. > A turnstile is a barrier that permits entry in only one direction. - Physical turnstiles are often used to control entry for large events such as concerts or sporting events. - Optical turnstiles use sensors and alarms to control entry. - Turnstiles are often used to permit easy exit from a secure area. Entry is controlled through a mantrap or other system that requires authentication for entry. > A double-entry door has two doors that are locked from the outside but have crash bars on the inside that allow easy exit. Double-entry doors are typically used only for emergency exits, and alarms sound when the doors are opened. Regular doors are susceptible to social engineering attacks such as piggybacking and tailgating. Piggybacking and tailgating are when an attacker enters a secured building by following an authorized employee through a secure door and does not provide identification. Piggybacking usually implies consent from the authorized employee, whereas tailgating implies no consent from the authorized employee. Tailgating tactics include: > Simply following the authorized individual, making it appear that the authorized person is escorting the person who is tailgating. > Joining a group of people, making it appear as if the unauthorized person belongs with the crowd. > Preying on the kindness of the authorized person by coming up with an excuse for a lack of credentials and a need for admission. Problem points that are conducive to tailgating include: > An unmonitored entry point. > High-volume entry points where an unauthorized person may enter undetected.
Which of the following allows for easy exit of an area in the event of an emergency, but prevents entry? (Select two.) Anti-passback system Double-entry door PTZ CCTV Mantrap Turnstile
Double-entry door Turnstile A double entry door has two doors that are locked from the outside but with crash bars on the inside that allow easy exit. Double entry doors are typically used only for emergency exits, and alarms sound when the doors are opened. A turnstile is a barrier that permits entry in only one direction. Turnstiles are often used to permit easy exit from a secure area. Entry is controlled through a mantrap or other system that requires authentication for entry. A mantrap is a specialized entrance with two doors that creates a security buffer zone between two areas. Once a person enters into the space between the doors, both doors are locked. To enter the facility, authentication must be provided. This may include visual identification and identification credentials. An anti-passback system is used when a physical access token is required for entry, and prevents a card holder from passing their card back to someone else. A Pan Tilt Zoom (PTZ) camera lets you dynamically move the camera and zoom in on specific areas to monitor.
Which of the following are examples of social engineering? (Select two.) Dumpster diving Port scanning War dialing Shoulder surfing
Dumpster diving Shoulder surfing Social engineering leverages human nature. Internal employees are often the target of trickery, and false trust can quickly lead to a serious breach of information security. Shoulder surfing and dumpster diving are examples of social engineering. Shoulder surfing is the act of looking over an authorized user's shoulder in hopes of obtaining an access code or credentials. Dumpster diving involves searching through trash or other discarded items to obtain credentials or information that may facilitate further attacks. These low-tech attack methods are often the first course of action that a hacker pursues. Port scanning and war dialing are technical attacks that seek to take advantage of vulnerabilities in systems or networks.
Dumpster Diving
Dumpster diving is the process of looking in the trash for sensitive information that has not been properly disposed of.
Eavesdropping
Eavesdropping refers to an unauthorized person listening to employees or other authorized personnel as they discuss sensitive topics.
How can an organization help prevent social engineering attacks? (Select two.) Educate employees on the risks and countermeasures Utilize 3DES encryption for all user sessions Publish and enforce clearly written security policies Implement IPsec on all critical systems
Educate employees on the risks and countermeasures Publish and enforce clearly written security policies User training and policy enforcement are the keys to preventing social engineering attacks. Many users are not aware of social engineering risks. Training raises awareness, provides clear instructions for dealing with and reporting suspicious activity, and directly supports all published security policies. Technical countermeasures protect against automated attacks. Social engineering seeks to gain access by exploiting human nature.
Which of the following are solutions that address physical security? (Select two.) Escort visitors at all times. Disable guest accounts on computers. Require identification and name badges for all employees. Scan all floppy disks before use. Implement complex passwords.
Escort visitors at all times. Require identification and name badges for all employees. Physical security controls physical access to the network or its components. Physical security controls include: Requiring identification or key cards before entry is permitted. Escorting visitors at all times. Keeping doors and windows locked. Keeping devices with sensitive information out of view of public users. Keeping the server room locked and locking computers to racks or tables to prevent theft.
Match each physical security control on the left with an appropriate example of that control on the right. Each security control may be used once, more than once, or not at all.
Hardened carrier Protected cable distribution Barricades Perimeter barrier Alarmed carrier Protected cable distribution Emergency lighting Safety Biometric authentication Door locks Emergency escape plans Safety Anti-passback system Physical access control Exterior floodlights Perimeter barrier Physical security controls and their functions include the following: Perimeter barriers secure the building perimeter and restrict access to only secure entry points. Examples include barricades and floodlights. Door locks allow access only to those with the proper key. For example, a biometric authentication system requires an individual to submit to a finger print or retina scan before a door is unlocked. Physical access controls are implemented inside the facility to control who can go where. For example, an anti-passback system prevents a card holder from passing their card back to someone else. Safety controls help employees and visitors remain safe while on site. For example, consider devising escape plans that utilize the best escape routes for each area in your organization. In addition, emergency lighting should be implemented that runs on protected power and automatically switches on when the main power goes off. A protected distribution system (PDS) encases network cabling within a carrier. This enables data to be securely transferred through an area of lower security. In a hardened carrier PDS, network cabling is run within metal conduit. In an alarmed carrier PDS, an electronic alarm system is used to detect attempts to compromise the carrier and access the cable within it.
Hoax Emails
Hoax emails prey on email recipients who are fearful and believe most information if it is presented in a professional manner. Usually these hoax messages instruct the reader to delete key system files or download Trojan horse viruses.
Hoax Emails
Hoax emails prey on email recipients who are fearful and believe most information if it is presented in a professional manner. Usually, these hoax messages instruct the reader to delete key system files or download Trojan horse viruses.
Which of the following is a common social engineering attack? Hoax virus information emails Distributing false information about your organization's financial status Logging on with stolen credentials Using a sniffer to capture network traffic
Hoax virus information emails Hoax virus information emails are a form of social engineering attack. This type of attack preys on email recipients who are fearful and will believe most information if it is presented in a professional manner. All too often, the victims of these attacks fail to double-check the information or instructions with a reputable third-party antivirus software vendor before implementing the recommendations. Usually, these hoax messages instruct the reader to delete key system files or download Trojan horses. Social engineering relies on the trusting nature of individuals to incentivize them to take an action or allow an unauthorized action.
IP Spoofing
IP spoofing changes the IP address information within a packet. It can be used to hide the origin of the attack by spoofing the source address. It can also amplify attacks by sending a message to a broadcast address and then redirecting responses to a victim who is overwhelmed with responses.
Which of the following is not a form of social engineering? Impersonating a manager over the phone Impersonating a utility repair technician A virus hoax email message Impersonating a user by logging on with stolen credentials
Impersonating a user by logging on with stolen credentials Impersonating a user by logging on with stolen credentials is not a social engineering attack. It is an intrusion attack made possible by network packet capturing or obtaining logon credentials through social engineering. Impersonating someone over the phone or in person are easily recognizable forms of social engineering. A virus hoax email message is also a form of social engineering because it attacks people by exploiting common the weaknesses of fear and ignorance.
Replay Attack
In a replay attack, the attacker uses a protocol analyzer or sniffer to capture authentication information going from the client to the server. The attacker then uses this information to connect at a later time and pretend to be the client.
Which of the following CCTV types would you use in areas with little or no light? C-mount PTZ A camera with a high LUX rating Infrared
Infrared Infrared cameras can record images in little or no light. LUX is a measure of sensitivity to light. The lower the number, the less light needed for a clear image. Infrared cameras have a low LUX rating, meaning that little light is needed. A c-mount camera has interchangeable lenses and is typically rectangular in shape. A pan tilt zoom (PTZ) camera lets you dynamically move the camera and zoom in on specific areas.
Which of the following is the most important way to prevent console access to a network switch? Keep the switch in a room that is locked by a keypad. Implement an access list to prevent console connections. Set console and enable secret passwords. Disconnect the console cable when not in use.
Keep the switch in a room that is locked by a keypad. To control access to the switch console, you must keep it in a locked room. A console connection can only be established with a direct physical connection to the device. If the switch is in a locked room, only those with access will be able to make a console connection. In addition, even if you had set console passwords, users with physical access to the device could perform password recovery and gain access.
Which of the following controls is an example of a physical access control method? Locks on doors Smart cards Access control lists with permissions Hiring background checks Passwords
Locks on doors Locks on doors is an example of a physical access control method. Physical controls restrict or control physical access. Passwords, access control lists, and smart cards are all examples of technical controls. Even though a smart card is a physical object, the card by itself is part of a technical implementation. Requiring background checks for hiring is an example of a policy or an administrative control.
MAC Spoofing
MAC spoofing is when an attacking device spoofs the MAC address of a valid host currently in the MAC address table of the switch. The switch then forwards frames destined for that valid host to the attacking device.
Malware
Malware is a type of software designed to take over or damage a computer without the user's knowledge or approval.
Masquerading
Masquerading refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access.
Masquerading
Masquerading refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. Masquerading is more passive than impersonating.
You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a cubicle near your office. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using an SSH client with a username of admin01 and a password of P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device? Use a Telnet client to access the router configuration. Change the default administrative username and password. Use encrypted type 7 passwords. Use TFTP to back up the router configuration to a remote location. Move the router to a secure server room.
Move the router to a secure server room. In this scenario, the router is not physically secure. Anyone with access to the area could gain access to the router and manipulate its configuration by plugging into the console port. The device should be moved to a secure location, such as a server room, that requires an ID badge for access. You should not use a Telnet client to access the router configuration. Telnet transfers data in clear text over the network connection, exposing sensitive data to sniffing. The user name and password used to access the router configuration are reasonably strong. Encrypted type 7 passwords on a Cisco device are less secure than those protected with MD5. Using TFTP to manage the router configuration could expose sensitive information to sniffers, as it transmits data in clear text.
What is the primary difference between impersonation and masquerading? One is more active, and the other is more passive. One is used against administrator accounts, and the other is used against end user accounts. One is easily detected, and the other is subtle and stealthy. One is a real-time attack, and the other is an asynchronous attack.
One is more active, and the other is more passive. The primary difference between these two access control attacks is that impersonation is more active, while masquerading is more passive. Both impersonation and masquerading attacks can target type of user account. Both impersonation and masquerading attacks take place in real time. Neither impersonation nor masquerading attacks have an intrinsic quality of being easy or difficult to detect.
Which of the following is not an example of a physical barrier access control mechanism? Biometric locks Mantraps Fences One-time passwords
One-time passwords A one-time password is a logical or technical access control mechanism, not a physical barrier access control mechanism. A biometric lock is an entry way security device that keeps a door or gate locked until an authorized individual provides a valid biometric, such as a hand scan. A mantrap is a small room with two doors. Authorized users must authenticate to enter the room and then further authenticate to exit the room and enter the secured environment. If the second authentication fails, the intruder is retained in the room until authorities respond. A fence is a perimeter protection device designed to deter intruders and define the boundary of protection employed by an organization.
You want to use CCTV to increase your physical security. You want to be able to remotely control the camera position. Which camera type should you choose? Dome C-mount Bullet PTZ
PTZ A pan tilt zoom (PTZ) camera lets you dynamically move the camera and zoom in on specific areas (cameras without PTZ capabilities are manually set looking a specific direction). Automatic PTZ mode automatically moves the camera between several preset locations; manual PTZ lets an operator remotely control the camera positon. A bullet camera has a built-in lens and is long and round in shape. Most bullet cameras can be used indoors or outdoors. A c-mount camera has interchangeable lenses and is typically rectangular in shape. Most c-mount cameras require a special housing to be used outdoors. A dome camera is a camera protected with a plastic or glass dome. These cameras are more vandal-resistant than other cameras. PTZ cameras can be bullet, c-mount, or dome cameras.
Users on your network report that they have received an email stating that the company has just launched a new website. The email asks employees to click the website link in the email and log in using their username and password. No one in your company has sent this email. What type of attack is this? Phishing Piggybacking Smurf Man-in-the-middle
Phishing Phishing uses an email and a spoofed website to obtain sensitive information. In a phishing attack: A fraudulent message that appears to be legitimate is sent to a target. The message guides the target to a website that appears to be legitimate. The fraudulent website asks the victim to provide sensitive information, such as an account number and password. Piggybacking refers to an attacker entering a secured building by following an authorized employee. A man-in-the-middle attack is used to intercept information passing between two communication partners. A Smurf attack is a DRDoS attack that spoofs the source address in ICMP packets.
Match the social engineering description on the left with the appropriate attack type on the right.
Phishing An attacker sends an email pretending to be from a trusted organization, asking users to access a website to verify personal information. Whaling An attacker gathers personal information about the target individual, who is a CEO. Spear phishing An attacker gathers personal information about the target individual in an organization. Dumpster diving An attacker searches through an organization's trash for sensitive information. Piggybacking An attacker enters a secure building by following an authorized employee through a secure door without providing identification. Vishing An attacker uses a telephone to convince target individuals to reveal their credit card information. Specific social engineering attacks include the following: Dumpster Diving Dumpster diving is the process of looking in the trash for sensitive information that has not been properly disposed of. Tailgating and Piggybacking Piggybacking and tailgating refer to an attacker entering a secured building by following an authorized employee through a secure door and not providing identification. Piggybacking usually implies consent from the authorized employee, whereas tailgating implies no consent from the authorized employee. Phishing A phishing scam is an email pretending to be from a trusted organization, asking the user to verify personal information or send money. In a phishing attack: A fraudulent message that appears to be legitimate is sent to a target. The message requests that the target visit a fraudulent website (which also appears to be legitimate). Graphics, links, and websites look almost identical to the legitimate websites they are trying to represent. The fraudulent website requests that the victim provide sensitive information, such as an account number and password. Common phishing scams include the following: A rock phish kit is a fake website that imitates a real website (such as banks, PayPal, eBay, and Amazon). Phishing emails direct you to the fake website to enter account information. A single server can host multiple fake sites using multiple registered DNS names. These sites can be set up and taken down rapidly to avoid detection. A Nigerian scam, also known as a 419 scam, involves email that requests a small amount of money to help transfer funds from a foreign country. For your assistance, you are to receive a reward for a much larger amount of money that will be sent to you at a later date. In spear phishing, attackers gather information about the victim, such as which online banks they use. They then send phishing emails for the specific bank. Whaling is another form of phishing that is targeted to senior executives and high-profile victims. Vishing is similar to phishing. But instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing. Spear Phishing Spear phishing's goal is to gain access to information that will allow the attacker to gain commercial advantage or commit fraud. Spear phishing frequently involves sending seemingly genuine emails to all employees or members of specific teams.
Physical Access Controls
Physical access controls can be implemented inside the facility. > Physical controls may include key fobs, swipe cards, or badges. > To control access to sensitive areas within the facility, require a card swipe or reader. > Some systems can track personnel movement within a facility and proactively lock or unlock doors based on the access token device. > An anti-passback system prevents a card holder from passing their card back to someone else. > Physical controls are often implemented with sensors and alarms to detect unauthorized access - Photoelectric sensors detect motion and are better suited to detecting a perimeter breach than interior motion detection. - Wave pattern, heat sensing, and ultrasonic sensors are all better suited for interior motion detection than perimeter breach detection.
Physical Access Logs
Physical access logs are implemented by facility guards and require everyone gaining access to the facility to sign in.
13.1.2 Physical Security Facts
Physical security is the measures taken to protect corporate assets from threats, such as theft or damage. Important aspects of physical security include: > Restricting physical access to facilities and computer systems. > Preventing interruptions of computer services caused by problems such as loss of power or fire. > Preventing unauthorized disclosure of information. > Disposing of sensitive material. > Protecting the interior and exterior of your facility.
Tailgating and Piggybacking
Piggybacking and tailgating refer to an attacker entering a secured building by following an authorized employee through a secure door without providing identification. Piggybacking usually implies consent from the authorized employee, whereas tailgating implies no consent from the authorized employee.
Pretexting
Pretexting is the use of a fictitious scenario to persuade someone to perform an action or give information for which they are not authorized.
Pretexting
Pretexting is the use of a fictitious scenario to persuade someone to perform an action or give information for which they are not authorized. Pretexting usually requires the attacker to perform research to create a believable scenario.
Ransomware
Ransomware denies access to a computer system until the user pays a ransom.
Scareware
Scareware is a scam that fools users into thinking they have some form of malware on their system. The intent of the scam is to sell the user fake antivirus software to remove malware they don't have.
You want to use CCTV as a preventative security measure. Which of the following is a requirement for your plan? PTZ camera Security guards Sufficient lighting Low LUX or infrared camera
Security guards When used in a preventative way, you must have a guard or other person available who monitors one or more cameras. Only a security guard can interpret what the camera sees to make appropriate security decisions. Even with sufficient lighting on a low-lux or infrared camera, a camera is not a useful preventative measure without a security guard present to interpret images and make security decisions. A pan tilt zoom (PTZ) camera lets you dynamically move the camera and zoom in on specific areas.
Shoulder Surfing
Shoulder surfing involves looking over the shoulder of someone working on a computer.
Social Engineering
Social engineering is an attack that exploits human nature by convincing someone to reveal information or perform an activity.
13.2.2 Social Engineering Facts
Social engineering is an attack that exploits human nature by convincing someone to reveal information or perform an activity. There are two forms of social engineering. Passive social engineering takes advantage of the unintentional actions of others to gather information or gain access to a secure facility. Active social engineering involves direct interaction with users, asking them to reveal information or take actions. Attackers use the following methods: > Assuming a position of authority (boss or network administrator) > Bribery > Forgery > Flattery > Using a disguise > Placing a critical timeframe on an action
Spyware/Adware
Spyware and adware are pop-up advertisements that can have malicious objectives, such as tricking users into unknowingly downloading malware or gathering information about the user and sending it to a third party for commercial gain.
Spyware
Spyware is software that is installed without the user's consent or knowledge. Spyware is designed to intercept or take partial control of the user's interaction with the computer.
TCP/IP (session) Hijacking
TCP/IP hijacking is an extension of a man-in-the-middle attack where the attacker steals an open and active communication session from a legitimate user.
SYN Flood
The SYN flood exploits the TCP three-way handshake. So many resources are allocated that the victim cannot process a legitimate inbound request for a TCP/IP session.
Social Engineering Attack Characteristics
The following table describes common social engineering attacks.
Social Engineering Awareness Training
The most effective countermeasure for social engineering is employee awareness training on how to recognize social engineering schemes and how to respond appropriately. There are several countermeasures you should take. > Train employees to: - Protect information by: - Securely disposing of sensitive documents, disks, and devices. - Protecting sensitive information on a computer from prying eyes. - Protecting sensitive information from prying ears. - Implement online security by: - Verifying the validity of websites. - Verifying that requests for privileged information are authorized. - Using bookmarked links instead of links in emails to go to websites. - Double-checking email information or instructions with a reputable third party antivirus software vendor before implementing recommendations. - Never opening a suspicious email attachment. - Determine the value for types of information, such as dial-in numbers, usernames, passwords, network addresses, etc. The greater the value, the higher the security around those items should be maintained. - Not allow others to use the employee's identification to enter a secure facility. - Demand proof of identity over the phone and in person. > Implement strong identity verification methods to gain access to a secure building.
Ping of Death
The ping of death is a DoS attack that uses the ping utility to send oversized ICMP packets.
Control Characteristics
The table below lists several physical control measures and their characteristics.
Social Engineering Attack Types
There are seven main types of social engineering attacks. > Persuasive social engineering entails an attacker convincing a person to give them restricted information or access. > Reciprocity social engineering entails an attacker giving something of lesser or equal value to what they expect in return to the person who helps them gain access or information. > Social validation entails an attacker using peer pressure to coerce someone else to bend rules or give information that they should not. > Commitment social engineering entails convincing someone to buy into an overall idea, then demanding or including further specifics that were not presented up front. > Scarcity social engineering entails an attacker presenting an item as a limited-time or scarce quantity offer to increase sales. > Friendship social engineering entails an attacker using the premise of a friendship as a reason the victim should take unauthorized actions that benefit the attacker. > Authority social engineering entails an attacker either lying about having authority or using their high status in a company to force victims to perform actions or give information that exceeds their authorization level.
Five salesmen who work out of your office. They frequently leave their laptops laying on the desk in their cubicles. You are concerned that someone might walk by and take one of these laptops. Which of the following is the best way to address your concerns? Require strong passwords in the local security policy. Use cable locks to chain the laptops to the desks. Implement screen saver passwords. Encrypt all company data on the hard drives.
Use cable locks to chain the laptops to the desks. The main concern in this case is with laptops being stolen. The best protection against physical theft is to secure the laptops in place using a cable lock. Requiring strong passwords or using encryption might prevent unauthorized users from accessing data on the laptops, but does not prevent physical theft.
Which of the following CCTV camera types lets zoom the focus in and out? Fixed Varifocal C-mount Infrared
Varifocal A varifocal camera lens lets you adjust the focus (zoom). A fixed lens camera has a set focal length. Infrared cameras can record images in little or no light. A c-mount camera has interchangeable lenses and is typically rectangular in shape. You can change the focal length of a c-mount camera by changing the lens, but you can't zoom the focus unless the lens is a varifocal lens.
You have just received a generic-looking email that is addressed as coming from the administrator of your company. The email says that as part of a system upgrade, you need enter your username and password at a new website so you can manage your email and spam using the new service. What should you do? Click on the link in the email and look for company graphics or information before you enter the login information. Verify that the email was sent by the administrator and that this new service is legitimate. Click on the link in the email and follow the directions to enter your login information. Delete the email. Open a web browser, type in the URL included in the email, and follow the directions to enter your login credentials.
Verify that the email was sent by the administrator and that this new service is legitimate. You should verify that the email is legitimate and has come from your administrator. It is possible that the network administrator has signed up for a new service. If you ignore the message or delete it, you might not get the benefits the company has signed up for. However, the email might be a phishing attack. An attacker might be trying to capture personal information. By verifying the email with the administrator, you will be able to tell if it is legitimate.
A senior executive reports that she received a suspicious email concerning a sensitive internal project that is behind production. The email was sent from someone she doesn't know, and he is asking for immediate clarification on several of the project's details so the project can get back on schedule. Which type of an attack best describes the scenario? Masquerading MAC spoofing Passive Whaling
Whaling Whaling is a form of a social engineering attack that targets senior executives and high-profile victims. Social engineering is an attack that exploits human nature by convincing someone to reveal information or perform an activity. Masquerading is convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. Passive social engineering attacks take advantage of the unintentional actions of others to gather information or gain access to a secure facility. MAC spoofing is changing the source MAC address on frames sent by the attacker and can be used to hide the identity of the attacker's computer or to impersonate another device on the network.
Layered Defense
When designing physical security, implement a layered defense system. A layered defense system implements controls at each layer to ensure that defeating one level of security does not allow an attacker subsequent access. Using multiple types of security controls within the same layer further enhances security. Tips for implementing a multi-layered defense system include: > Protect entry points with a card access system (or some other type of control) as well as a security camera. > Use a reception area to prevent the public, visitors, or contractors from entering secure areas of the building without an escort. > Use the card access or other system to block access to elevators and stairwells. This will prevent someone who successfully tailgates from gaining further access. > Use a different access system to secure offices or other sensitive area such as key locks, keypad locks, or biometric controls. > Implement security within offices and data centers by locking storage areas and using computer passwords. > Use cable locks on mobile computer devices, such as laptops and tablets. Cable locks secure mobile devices to stationary objects (such as desks or walls) and help prevent theft. > Employ a hardware checkout policy to ensure that hardware containing sensitive data does not leave the organization's premises without approval. Before hardware is removed from the prTailgating and Piggybackingemise, the device's serial number, make, and model number should be recorded.
13.2.4 Respond to Social Engineering Exploits
You are the IT security administrator for a small corporate network. The company president has received several emails that he is wary of. He has asked you to determine whether they are hazardous and handle them accordingly. In this lab, your task is to perform the following: Read each email and determine if it is legitimate. Delete any emails that are attempts at social engineering. Keep any emails that are safe. *Hold your mouse over the embedded links to see the actual URL in the status bar at the bottom of the screen. Actions you were required to perform: > Delete the Microsoft Windows Update Center phishing email > Delete the Online Banking phishing email > Delete the Grandma Jacklin forwarded email hoax > Delete the Emily Smith spear phishing email > Delete the Sara Goodwin malicious attachment email > Delete the Grandma Jacklin forwarded email hoax > Delete the Joe Davis malicious attachment email > Delete the Executive Recruiting whaling email
Asset Control
You can secure company equipment using asset tracking tags with tamper detection. Asset tracking tags contain company information, such as name, address, and a serial number. They identify company assets if found and may include a tracking device that allows them to be found and retrieved, if necessary. Tamper detection triggers a notification, in real time, if tags are removed or tampered with.
13.1.3 Implement Physical Security
You work as the IT security administrator for a small corporate network. You have designed the physical security of the offices and assets in the building, and now you need to implement your plan. You plan to install smart card readers. Smart cards have the ability to encrypt access information. Smart cards can require contact or be contactless. Proximity cards, also known as RFID (radio frequency identification) cards, are a subset of smart cards that use the 125 kHz frequency to communicate with proximity readers. Proximity cards differ from smart cards because they are designed to only communicate the card's ID, but the smart card can communicate more information. You also plan to use IP security cameras because they operate over the TCP/IP network. In this lab, your task is to perform the following: Install the smart card key readers. Install one reader at the building entrance and the other reader at the networking closet entrance. The key card readers should be contactless and record more than the card's ID. Install the IP security cameras. Record which employees enter and exit the networking closet with security cameras. The security cameras should operate over the TCP/IP network. Install the Restricted Access sign on the networking closet door. Install the visitor log on the lobby desk. *Create your physical security by dragging the correct items from the shelf into the various locations in the building. As you drag the items from the shelf, the possible drop locations are highlighted. Not all items on the shelf will be used. Complete this lab as follows: 1. Install the key card readers as follows: > Expand the Door Lock category on the shelf. > Drag a key card reader from the shelf to the highlighted location outside the building's front door. > Drag a key card reader from the shelf to the highlighted location outside the networking closet's door. 2. Install the security cameras as follows: > Expand the CCTV Cameras category on the shelf. > Drag the correct camera from the shelf to the highlighted circle inside the networking closet. > Drag the correct camera from the shelf to just outside the networking closet. 3. Install the warning sign as follows: > Expand the Restricted Access Signs category on the shelf. > Drag the sign from the shelf to the networking closet door. 4. Install the visitor log as follows: > Expand the Visitor Logs category on the shelf. > Drag the log from the shelf to the lobby desk. Install the card reader outside the building's front door Install the card reader outside the Networking Closet door Install the IP security camera inside the networking closet Install the IP security camera outside the networking closet Install the Restricted Access sign on the networking closet door Install the visitor log on the lobby desk