chapter 1 info

IP address spoofing attack

A hacker constructs an IP packet that appears to originate from a valid address inside the corporate intranet

sniffer attack

A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted and the attacker does not have access to the key

unencrypted devices

A stolen corporate laptop typically contains confidential organizational data. If the data is not stored using an encryption algorithm, then the thief can retrieve valuable confidential data

hyperjacking

An attacker could hijack a VM hypervisor (VM controlling software) and then use it as a launch point to attack other devices on the data center network

hard copy

Corporate data should be disposed of thoroughly. For example, confidential data should be shredded when no longer required. Otherwise, a thief could retrieve discarded reports and gain valuable information

state-sponsored

Depending on a person's perspective, these are either white hat or black hat hackers who steal government secrets, gather intelligence, and sabotage networks. Their targets are foreign governments, terrorist groups, and corporations. Most countries in the world participate to some degree in state-sponsored hacking

SQL slammer worm

DoS attack that exploited a buffer overflow bug in Microsoft's SQL Server. At its peak, it doubled in size every 8.5 seconds. This is why it was able to infect 250,000+ hosts within 30 minutes

Reconnaissance Attacks

Hackers use these attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities

compromised-key attack

If a hacker obtains a secret key. It can be used to gain access to a secured communication without the sender or receiver being aware of the attack

password based attack

If hackers discover a valid user account, the attackers have the same rights as the real user. Hackers could use that valid account to obtain lists of other users and network information. They could also change server and network configurations, modify, reroute, or delete data

data modification attack

If hackers have captured enterprise traffic, they can alter the data in the packet without the knowledge of the sender or receiver

Ping of Death

In this legacy attack, the attacker sent a ping of death which was an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. The receiving host would not be able to handle a packet of that size and it would crash

jailbreaking/root detection

Jailbreaking (on Apple iOS devices) and rooting (on Android devices) are a means to bypass the management of a device. MDM features can detect such bypasses and immediately restrict a device's access to the network or other corporate assets

data wipe

Lost or stolen devices can be remotely fully- or partially-wiped, either by the user or by an administrator via the MDM

removable media

One risk is that an employee could perform an unauthorized transfer of data to a USB drive. Another risk is that a USB drive containing valuable corporate data could be lost

improper access control

Passwords are the first line of defense. Stolen passwords or weak passwords which have been compromised can provide an attacker easy access to corporate data

password crackers

Passwords are the most vulnerable security threat. Are often referred to as password recovery tools and can be used to crack or recover the password. This is accomplished either by removing the original password, after bypassing the data encryption, or by outright discovery of the password. Repeatedly make guesses in order to crack the password and access the system. Examples include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa

cloud storage devices

Saving data to the cloud has many potential benefits. However, sensitive data can be lost if access to the cloud is compromised due to weak security settings

email/social networking

The most common vector for data loss includes instant messaging software and social media sites. For instance, intercepted email or IM messages could be captured and reveal confidential information

script kiddies

The term emerged in the 1990s and refers to teenagers or inexperienced hackers running existing scripts, tools, and exploits, to cause harm, but typically not for profit

cyber criminals

These are black hat hackers who are either self-employed or working for large cybercrime organizations. Each year, cyber criminals are responsible for stealing billions of dollars from consumers and businesses

white hat hackers

These are ethical hackers who use their programming skills for good, ethical, and legal purposes. White hat hackers may perform network penetration tests in an attempt to compromise networks and systems by using their knowledge of computer security systems to discover network vulnerabilities. Security vulnerabilities are reported to developers for them to fix before the vulnerabilities can be exploited. Some organizations award prizes or bounties to white hat hackers when they inform them of a vulnerability

hacktivists

These are grey hat hackers who rally and protest against different political and social ideas. Hacktivists publicly protest against organizations or governments by posting articles, videos, leaking sensitive information, and performing distributed denial of service (DDoS) attacks

grey hat hackers

These are individuals who commit crimes and do arguably unethical things, but not for personal gain or to cause damage. An example would be someone who compromises a network without permission and then discloses the vulnerability publicly. Grey hat hackers may disclose a vulnerability to the affected organization after having compromised their network. This allows the organization to fix the problem

hacking operating systems

These are specially designed operating systems preloaded with tools and technologies optimized for hacking. Examples of specially designed hacking operating systems include Kali Linux, SELinux, Knoppix, BackBox Linux

black hat hackers

These are unethical criminals who violate computer and network security for personal gain, or for malicious reasons, such as attacking networks. Black hat hackers exploit vulnerabilities to compromise computer and network systems

vulnerability broker

These are usually grey hat hackers who attempt to discover exploits and report them to vendors, sometimes for prizes or rewards

debuggers

These tools are used by black hats to reverse engineer binary files when writing exploits. They are also used by white hats when analyzing malware. Include GDB, WinDbg, IDA Pro, and Immunity Debugger

forensic tools

These tools are used by white hat hackers to sniff out any trace of evidence existing in a particular computer system. Example of tools include Sleuth Kit, Helix, Maltego, and Encase

packet sniffers

These tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs. Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip

packet crafting tools

These tools are used to probe and test a firewall's robustness using specially crafted forged packets. Examples include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis

vulnerability exploitation tools

These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker

encryption tools

These tools safeguard the contents of an organization's data at rest and data in motion. Use algorithm schemes to encode the data to prevent unauthorized access to the encrypted data. Examples of these tools include VeraCrypt, CipherShed, OpenSHH, OpenSSL, Tor, OpenVPN, and Stunnel

vulnerability scanners

These tools scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of tools include Nipper, Secunia PSI, Core Impact, Nessus v6, SAINT, and Open VAS

man in the middle attack

This attack occurs when hackers have positioned themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently

inside perimeter security

This can include continuous video surveillance, electronic motion detectors, security traps, and biometric access and exit sensors.

outside perimeter security

This can include on-premise security officers, fences, gates, continuous video surveillance, and security breach alarms

wireless router

This consumer-grade wireless router provides integrated firewall features and secure wireless connections

destructive trojan horse

This corrupts or deletes files.

FTP trojan horse

This enables unauthorized file transfer services on end devices

remote access trojan horse

This enables unauthorized remote access

antivirus storms

This happens when all VMs attempt to download antivirus data files at the same time

rootkit detectors

This is a directory and file integrity checker used by white hats to detect installed root kits. Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter

SOHO site

This is a small branch site that connects to the corporate main site using a Cisco wireless router.

vulnerability

This is defined as a weakness or flaw in the network. The vulnerability can be exploited by an attacker to negatively impact a network, or to access confidential data within an organization. Sources of network vulnerabilities include weak and unsecure network protocols, configuration errors, or weak security policies.

regional site

This is larger than a branch site and connects to the corporate main site using an ASA. The ASA can establish a permanent always-on VPN connection to the main site ASA.

mitigation

This is the action of reducing the severity of the vulnerability. Network security involves multiple mitigation techniques.

threat

This is the potential for a vulnerability to turn into a network attack. Threats include malware, exploits, and more.

risk

This is the potential of a threat to exploit the vulnerabilities of an asset in order to negatively affect an organization. Risk is measured using the probability of the occurrence of an event and its consequence.

eavesdropping attack

This is when a hacker captures and "listens" to network traffic. This attack is also referred to as sniffing or snooping

Phishing

This malware attempts to convince people to divulge sensitive information. Examples include receiving an email from their bank asking users to divulge their account and PIN numbers

Ransomware

This malware denies access to the infected computer system. Demands a paid ransom for the restriction to be removed

Scareware

This malware includes scam software which uses social engineering to shock or induce anxiety by creating the perception of a threat. It is generally directed at an unsuspecting user

Rootkits

This malware is installed on a compromised system. After it is installed, it continues to hide its intrusion and maintain privileged access to the hacker

Spyware

This malware is used to gather information about a user and send the information to another entity, without the user's consent. Can be classified as a system monitor, Trojan horse, Adware, Tracking cookies, and key loggers

Adware

This malware typically displays annoying pop-ups to generate revenue for its author. The malware may analyze user interests by tracking the websites visited. It can then send pop-up advertising pertinent to those sites

data sending trojan horse

This provides the attacker with sensitive data, such as passwords

branch site

This site connects to the corporate main site using a hardened ISR. The ISR can establish a permanent always-on VPN connection to the main site ASA.

DoS trojan horse

This slows or halts network activity

security software disabler rojan horse

This stops antivirus programs or firewalls from functioning.

proxy trojan horse

This will use the victim's computer as the source device to launch attacks and perform other illegal activities

instant on activation

When a VM that has not been used for a period of time is brought online, it may have outdated security policies that deviate from the baseline security and can introduce security vulnerabilities.

data loss prevention (DLP)

While data protection functions (like PIN locking, data encryption and remote data wiping) prevent unauthorized users from accessing data, DLP prevents authorized users from doing careless or malicious things with critical data

wireless hacking tools

Wireless networks are more susceptible to network security threats. Are used to intentionally hack into a wireless network to detect security vulnerabilities. Examples include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.

hacker

a common term used to describe a network attacker

attack vector

a path or other means by which an attacker can gain access to a server, host, or network

cisco adaptive security appliance (ASA)

a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network

rootkit

a set of software tools that enable an unauthorized user to gain control of a computer system without being detected

virtual machine

a software computer that, like a physical computer, runs an operating system and applications. is comprised of a set of specification and configuration files and is backed by the physical resources of a host

interrupt service routine

a software routine that hardware invokes in response to an interrupt. Examine an interrupt and determine how to handle it. Handle the interrupt, and then return a logical interrupt value

layer 3 switch

a specialized hardware device used in network routing. they technically share much in common with traditional routers. Both can support the same routing protocols. Both inspect incoming packets and make dynamic routing decisions based on the source and destination addresses inside

local area network (LAN)

a system for linking personal computers and workstations with each other in order to share data, devices, programs, etc.: usually confined to one office, building, or home

intrusion prevention system (IPS)

a system that monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, and then log information, attempt to block the activity, and then finally to report it

post office protocol (POP)

a type of computer networking and Internet standard protocol that extracts and retrieves email from a remote mail server for access by the host machine

layer 2 switch

a type of network switch or device that works on the data link layer (OSI Layer 2) and utilizes MAC Address to determine the path through where the frames are to be forwarded. It uses hardware based switching techniques to connect and transmit data in a local area network (LAN)

media access control addresses (MAC)

a unique identifier assigned to network interfaces for communications at the data link layer of a network segment. used as a network address for most IEEE 802 network technologies, including Ethernet and Wi-Fi

MyDoom worm

activated by an unsuspecting user (i.e., User1) by opening an attachment in an email. The attachment released the worm that was able to learn all available email addresses on the system. The worm would then send spam email to all the recipients it discovered. This affected the Internet dramatically. Other users (i.e., User2) would open the attachment from User 1 and the cycle would repeat

Social engineering attacks

an access attack that attempts to manipulate individuals into performing actions or divulging confidential information

Denial of Service (DoS)

attack- flooding a website with useless traffic to inundate and overwhelm the network

authentication, authorization, and accounting server (AAA)

authenticates users, authorizes what they are allowed to do, and tracks what they are doing

BYOD

bring your own device

campus area network (CAN)

consists of interconnected LANs within a limited geographic area

Access Attacks

exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information -To retrieve data -To gain access -To escalate access privileges

mobile device management (MDM)

features secure, monitor, and manage mobile devices, including corporate-owned devices and employee-owned devices. MDM-supported and managed devices include not only handheld devices, such as smartphones and tablets, but also laptop and desktop computing devices

code red worm

infected 658 servers. Within 19 hours, the worm had infected over 300,000 servers

virus

malicious code that is attached to executable files which are often legitimate programs. Most require end user activation and can lay dormant for an extended period and then activate at a specific time or date

trojan horses

malware that carries out malicious operations under the guise of a desired function. Comes with malicious code hidden inside of it. This malicious code exploits the privileges of the user that runs it. Often, are found attached to online games

DoS attack

prevents normal use of a computer or network by valid users. After gaining access to your network, it can crash applications or network services. It can also flood a computer or the entire network with traffic until a shutdown occurs because of the overload. It can also block traffic, which results in a loss of access to network resources by authorized users

small office home office (SOHO)

relating to a market for relatively inexpensive consumer electronics used by individuals and small companies

worms

replicate themselves by independently exploiting vulnerabilities in networks. Usually slow down networks. They all have an enabling vulnerability, a way to propagate themselves, and they all contain a payload

cloud computing

separates the application from the hardware

DDoS attacks

similar in intent to a DoS attack, except that this increases in magnitude because it originates from multiple, coordinated sources. Also introduce new terms such as botnet, handler systems, and zombie computers

wide area network (WAN)

span a wide geographical area, often over the public Internet

PIN enforcement

the first and most effective step in preventing unauthorized access to a device. Furthermore, strong password policies can also be enforced by an MDM, reducing the likelihood of brute-force attacks

virtualization

the foundation of Cloud computing, separates the OS from the hardware.

fuzzers to search vulnerability

tools used by hackers when attempting to discover a computer system's security vulnerabilities. Examples of include Skipfish, Wapiti, and W3af

data center networks

typically housed in an off-site facility to store sensitive or proprietary data. These sites are interconnected to corporate sites using VPN technology with ASA devices and integrated data center switches, such as a high-speed Nexus switches

network scanning and hacking tools

used to probe network devices, servers, and hosts for open TCP or UDP ports. Examples include Nmap, SuperScan, Angry IP Scanner, and NetScanTools

data loss

when data is intentionally or unintentionally lost, stolen, or leaked to the outside world