Chapter 9: Network Risk Management
Symptoms of Malware
- Unexplained file size increases - Significant, unexplained system performance decline - Unusual error messages - System memory loss - Unexpected rebooting - Display quality loss
DRDS Attack (Distributed Reflector DoS)
A DDoS attack bounced off of uninfected computers, called reflectors, before being directed at target.
DNS Amplification
A DDoS attack in which the attacker exploits vulnerabilities in DNS servers to turn initialy small queries into larger payloads, which are then used to bring down servers. Very overwhelming to systems.
Zombie
A computer compromised by a hacker, virus, or trojan. Can be used to perform malicious tasks under remote direction.
Ping Flood
A denial of service attack in which the attacker attempts to overwhelm a targeted device with ICMP echo-request packets, causing the target to become inaccessible to normal traffic. When attack traffic comes from multiple devices, it becomes a DDoS attack.
Ransomware
A program that locks data or system until ransom is paid.
Gray Hat Hacker
Abides by a code of ethics of their own. Might engage in illegal activity, but goal is to educate and assist.
Privileged User / Access Agreement
Addresses specific concerns related to privileged access given to admins and support staff. When accessing privileged accounts: - Stay signed in as long as needed then sign off.
DNS Poisoning / Spoofing
Altering DNS records on DNS server, an attacker can redirect internet traffic from legitimate sites to phishing sites.
Password Policy
Always change system default passwords. Do not use familiar information. Do not use words in dictionaries. Make password longer than 8 chars. Do not repeat words or number sequences. Do not write down password or share. Change every 60 days, use different passwords.
Social Engineering
Asking people for passwords. Phishing, baiting, quid pro quo, and tailgating are all examples.
Unauthenticated Vulnerability Scanning
Attacker begins on perimeter of network, looking for vulnerabilities that do not require trusted user privileges.
Authenticated Vulnerability Scanning
Attacker is given same access as trusted user.
Deauth Attack (Deauthentication)
Attacker sends fakes deauthentication frames to AP, client, or both to trigger deauth process and knock clients off wireless network.
ARP Poisoning (Address Resolution Protocol)
Attackers use faked ARP replies to alter ARP tables in network.
Rogue DHCP Server
Can be used to implement MitM attacks. DHCP messages should be monitored by a security feature on switches called DHCP snooping. - ip dhcp snooping command.
MDM Software (Mobile Device Management)
Can configure devices automatically for BYOD policy. MDM Software can: - Automate enrollment - Enforce password policies - Encrypt data on device - Sync data across devices - Wipe devices - Monitor locations
Scanning Tools
Can discover: - Available hosts - Services, processes, threads, including apps and versions running on hosts. - OSs on hosts. - Ports on hosts - Config of firewalls - Software configs - Unencrypted data
Keypad / Cipher Lock
Cipher locks are physical or electronic locks requiring a code to open door.
Posture Assessment:
Complete examination assessment of each aspect of network to determine how it might be compromised. Should be performed at least annually.
PDoS Attack (Permanent DoS)
Damages firmware beyond repair
NMAP (Network Mapper)
Designed to scan large networks. Provides information about networks and hosts, is free.
Anti-Malware Software
Effective malware protection requires: - Choosing appropriate anti-malware S/W - Monitoring network - Continually updating anti-malware program Malware leaves evidence that can sometimes only anti-malware software can detect.
AUP (Acceptable Use Policy)
Explains to users what they can and cannot do while accessing network's resources. Explains penalties for violations, explains how it protects security. Restrictions: - Nothing illegal - No circumventing network security restrictions - No spam - No rights violations
Insecure Protocols and Services
FTP, HTTP, Telnet, SLIP, TFTP, SNMPv1, SNMPv2
Phishing
Fraudulent practice of sending emails purporting to be from reputable companies in order to trick people into revealing passwords or credit card numbers.
Black Hat Hacker
Groups or individuals that cause damage, steal data, or compromise privacy.
DoS Attack (Distributed Denial of Service)
Hacker issues flood of broadcast ping messages.
Quid pro Quo
Hacker offers a service or benefit in exchange for information or access.
White Hat Hacker
IT Security experts hired by organizations to identify security weaknesses. Also called ethical hackers.
Spoofing Attack
Impersonation of MAC address.
Tailgating
Involves someone who lacks the proper authentication following an employee into a restricted area.
Polymorphism
Malware characteristic, changes characteristics every time it transfers to new system.
Stealth
Malware characteristic, disguises as legit program.
Encryption
Malware characteristic, prevents detection.
Time Dependence
Malware characteristic, programmed to activate on particular dates. Can remain dormant and harmless until date arrives.
Administrative Credentials
Many devices are managed through remote access connections. - SSH keys are more secure than passwords, are more difficult to crack.
Access Badges
Many organizations provide electronic access badges called smart cards. Smart cards can be programmed to allow owner access to some but not all.
Security Audit
Many types, based on risk exposure, expected annual lose, quantitative / qualitative assessments. Performed by company that has been acredited by agency that sets network standards.
Exploit
Means of taking advantage of a vulnerability.
Honeypot
Mechanism set to detect, deflect, or counteract attempts at unauthorized use of systems. Consists of data that appears to be legit, but is actually isolated and monitored. Attackers are then blocked. Honeynet: Network of honeypots.
SHA (Secure Hash Algorithm)
Most commonly used hashing algorithm. Advantage: Resistance to collisions.
Employee Training
Most important defense against social engineering.
Friendly DoS Attack
Not done with malicious intent. Usually due to a flash sale
DDoS Attack ( Distributed DoS)
Orchestrated through several sources, called zombies.
Hacker
Originally someone who masters the inner workings of computer hardware and software in an effort to better understand them. Now, an individual who gains unauthorized access to systems.
Nessus Vulnerability Scanner
Performs more sophisticated scans than NMAP.
PAM (Privileged Account Management Tool)
Privileged accounts may be monitored through this.
Updates and Security Patches
Process includes: - Discovery - Standardization - Layered Security - Vulnerability Reporting - Implementation - Assessment - Risk Mitigation
Malicious Software
Program designed to intrude or harm systems and resources. Viruses, trojans, worms, bots, ransomware.
Trojan Horse
Program that disguises itself as something useful, harms system.
Bots
Program that runs automatically without requiring person to start/stop it. Can: - Damage data or system files. - Issue objectionable content. - Launch DoS attacks. - Open back doors.
Logic Bomb
Programs designed to start when conditions are met.
Worms
Programs that run independently and travel between computers and across networks.
Key FOB
Provides remote control over locks and security systems
Red Team Blue Team Exercise
Red team attacks, blue team defends network.
MitM Attack (Man in the Middle)
Relies on intercepted transmission, can take several forms.
Virus
Replicating program intent to infect more computers. Replicates through network connections or exchange of external storage devices.
Metasploit
Represents framework for pen testing, not an app. Combines known scanning and exploit techniques to explore new attack routes.
Physical Security
Restrict physical access to critical components-- only trusted networking staff should have access. Locked doors help, good detection measures to secure perimeter.
Versions of SHA
SHA-0 SHA-1: Takes input and produces a 160-bit (20-byte) hash value known as a message digest, often rendered as hexadecimal # 40 digits long. -SHA-2 -SHA-3 -SHA-2 and SHA-3 are often implemented together for increased security.
Back doors
Security flaws, allows unauthorized users to gain access to system.
NDA (Non-Disclosure Agreement)
Security policy should also define what confidential and private means to organization. If you work in secure environments, know where most data is confidential. Security policy should also classify information in degrees of sensitivity.
Baiting
Similar to phising. The promise of an item or good that hackers use to entice victims.
DLP (Data Loss Prevention)
Solution that identifies sensitive data and prevents it from being copied or transmitted off network.
Insider Threat
Someone trusted by an organization, may have or develop malicious intent. Reduce insider threats by: - Background checking new hires. - Principle of least privilege, which is giving minimal access to do job. - Checks and balances on employee behavior.
Device Hardening
Steps to secure device from network or software supported attacks. Many layers of defense.
Zero-Day Exploit
Taking advantage of undiscovered software vulnerability before developers are aware. One technique may lead to a second and third and so on.
BYOD (Bring Your Own Device)
The practice of allowing people to bring their devices into a facility for performing work responsibility. Variations: - BYOA (app) - BYCO (cloud) - BYOT (tech) - CYOD (choose, device)
Hashing
To transform data through an algorithm that reduces the amount of space needed for the data.
Anti-Malware Policy
Users should know what to do in case of malware. Users should be prohibited from installing unauthorized software on systems.
Penetration Testing
Uses variable tools to find network vulnerabilities, attempts to exploit them.
Amplified DR DoS Attack (Distributed Reflection Denial of Service)
Using small, simple requests triggers very large responses from target.
Vulnerability
Weakness of a system, process, or architecture
