NET-230 (NetAcad Chapter 3)

TCP Three-Way Handshake

132 Send SYN(SEQ=100 CTL=SYN) SYN, ACK received Established(SEQ=101 ACK=301 CTL=ACK) SYN received Send SYN, ACK(SEQ=300 ACK=101 CTL=SYN, ACK) A TCP connection is established in three steps: 1. The initiating client requests a client-to-server communication session with the server. 2. The server acknowledges the client-to-server communication session and requests a server-to-client communication session. 3. The initiating client acknowledges the server-to-client communication session.

3.5.9 DoS and DDoS Attacks

A Denial of Service (DoS) attack creates some sort of interruption of network services to users, devices, or applications. There are two major types of DoS attacks: Overwhelming Quantity of Traffic - The threat actor sends an enormous quantity of data at a rate that the network, host, or application cannot handle. This causes transmission and response times to slow down. It can also crash a device or service. Maliciously Formatted Packets - The threat actor sends a maliciously formatted packet to a host or application and the receiver is unable to handle it. This causes the receiving device to run very slowly or crash.

DDoS Attack

A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from multiple, coordinated sources. For example, A threat actor builds a network of infected hosts, known as zombies. The threat actor uses a command and control (CnC) system to send control messages to the zombies. The zombies constantly scan and infect more hosts with bot malware. The bot malware is designed to infect a host, making it a zombie that can communicate with the CnC system. The collection of zombies is called a botnet. When ready, the threat actor instructs the CnC system to make the botnet of zombies carry out a DDoS attack. Click Play in the figure to view the animations of a DDoS attack.

DNS resource utilization attacks

A DoS attack that consumes the resources of the DNS open resolvers. This DoS attack consumes all the available resources to negatively affect the operations of the DNS open resolver. The impact of this DoS attack may require the DNS open resolver to be rebooted or services to be stopped and restarted.

3.9.3 Firewalls

A firewall is a system, or group of systems, that enforces an access control policy between networks. Click Play in the figure to view an animation of how a firewall operates. Firewall Operation All firewalls share some common properties: Firewalls are resistant to network attacks. Firewalls are the only transit points between internal corporate networks and external networks because all traffic flows through the firewall. Firewalls enforce the access control policy. There are several benefits of using a firewall in a network: They prevent the exposure of sensitive hosts, resources, and applications to untrusted users. They sanitize protocol flow, which prevents the exploitation of protocol flaws. They block malicious data from servers and clients. They reduce security management complexity by off-loading most of the network access control to a few firewalls in the network. Firewalls also present some limitations: A misconfigured firewall can have serious consequences for the network, such as becoming a single point of failure. The data from many applications cannot be passed through firewalls securely. Users might proactively search for ways around the firewall to receive blocked material, which exposes the network to potential attack. Network performance can slow down. Unauthorized traffic can be tunneled or hidden so that it appears as legitimate traffic through the firewall.

VPN (Virtual Private Network)

A router is used to provide secure VPN services with corporate sites and remote access support for remote users using secure encrypted tunnels.

IP Address Spoofing Attack

A threat actor constructs an IP packet that appears to originate from a valid address inside the corporate intranet.

Spear phishing

A threat actor creates a targeted phishing attack tailored for a specific individual or organization.

Baiting

A threat actor leaves a malware infected flash drive in a public location. A victim finds the drive and unsuspectingly inserts it into their laptop, unintentionally installing malware.

Pretexting

A threat actor pretends to need personal or financial data to confirm the identity of the recipient.

Phishing

A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal or financial information.

Threat

A threat is a potential danger to a company's assets, data, or network functionality.

12. What is a significant characteristic of virus malware?

A virus is triggered by an event on the host system.

Vulnerability

A vulnerability is a weakness in a system, or its design, that could be exploited by a threat.

Worm

A worm is a self-replicating program that propagates automatically without user actions by exploiting vulnerabilities in legitimate software. It uses the network to search for other victims with the same vulnerability. The intent of a worm is usually to slow or disrupt network operations.

2. Which network security device contains a secure database of who is authorized to access and manage network devices?

AAA Server

Advanced Encryption Standard (AES)

AES is a secure and more efficient algorithm than 3DES. It is a popular and recommended symmetric encryption algorithm. It offers nine combinations of key and block length by using a variable key length of 128-, 192-, or 256-bit key to encrypt data blocks that are 128, 192, or 256 bits long.

3.8.2 ARP Cache Poisoning

ARP cache poisoning can be used to launch various man-in-the-middle attacks. Click each button for an illustration and an explanation of the ARP cache poisoning process.

1. Which network security device ensures that internal traffic can go out and come back, but external traffic cannot initiate connections to inside hosts?

ASA Firewall

2. What type of attack is a password attack?

Access

4. What type of attack is man-in-the-middle?

Access

5. What type of attack is address spoofing?

Access

3.5.5 Access Attacks

Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services. The purpose of these types of attacks is to gain entry to web accounts, confidential databases, and other sensitive information. Threat actors use access attacks on network devices and computers to retrieve data, gain access, or to escalate access privileges to administrator status.

5. Which attack being used is when a threat actor creates packets with false source IP address information to either hide the identity of the sender, or to pose as another legitimate user?

Address Spoofing Attack

4. Which malware typically displays annoying pop-ups to generate revenue for its author?

Adware

Adware

Adware is usually distributed by downloading online software. Adware can display unsolicited advertising using pop-up web browser windows, new toolbars, or unexpectedly redirect a webpage to a different website. Pop-up windows may be difficult to control as new windows can pop-up faster than the user can close them.

Spam

Also known as junk mail, this is unsolicited email which often contains harmful links, malware, or deceptive content.

3. Which attack is being used when threat actors initiate a simultaneous, coordinated attack from multiple source machines?

Amplification and Reflection Attacks

IPS

An Intrusion Prevention System (IPS) monitors incoming and outgoing traffic looking for malware, network attack signatures, and more. If it recognizes a threat. It can immediately stop it.

Assets

An asset is anything of value to the organization. It includes people, equipment, resources, and data.

EIGamal

An asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie-Hellman key agreement. A disadvantage of the ElGamal system is that the encrypted message becomes very big, about twice the size of the original message and for this reason it is only used for small messages such as secret keys. Key Length 512 - 1024

HMAC Hashing Algorithm

As shown in the figure, an HMAC is calculated using any cryptographic algorithm that combines a cryptographic hash function with a secret key. Hash functions are the basis of the protection mechanism of HMACs. Only the sender and the receiver know the secret key, and the output of the hash function now depends on the input data and the secret key. Only parties who have access to that secret key can compute the digest of an HMAC function. This defeats man-in-the-middle attacks and provides authentication of the data origin. If two parties share a secret key and use HMAC functions for authentication, a properly constructed HMAC digest of a message that a party has received indicates that the other party was the originator of the message. This is because the other party possesses the secret key. The figure shows the h m a c hashing algorithm e883aa0b24c09f Fixed Length Authenticated Hash Value Data of Arbitrary LengthSecret KeyHash FunctionPlaintext Message

Creating the HMAC Value

As shown in the figure, the sending device inputs data (such as Terry Smith's pay of $100 and the secret key) into the hashing algorithm and calculates the fixed-length HMAC digest. This authenticated digest is then attached to the message and sent to the receiver. The figure shows creating the h m a c value 4ehIDx67NMop94ehIDx67NMop9 Pay to Terry Smith........................$100.00 One Hundred and xx/100................DollarsDataSecret KeyPay to Terry Smith........................$100.00 One Hundred and xx/100.............DollarsHMAC (Authenticated Fingerprint)Hash Function

Common Network Attacks 3.5.1 Overview of Network Attacks

As you have learned, there are many types of malware that hackers can use. But these are not the only ways that they can attack a network, or even an organization. When malware is delivered and installed, the payload can be used to cause a variety of network related attacks. To mitigate attacks, it is useful to understand the types of attacks. By categorizing network attacks, it is possible to address types of attacks rather than individual attacks. Networks are susceptible to the following types of attacks: Reconnaissance Attacks Access Attacks DoS Attacks

1. Which security term is used to describe anything of value to the organization? It includes people, equipment, resources, and data.

Asset

3.10.8 Asymmetric Encryption

Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is used for encryption is different from the key that is used for decryption, as shown in the figure. The decryption key cannot, in any reasonable amount of time, be calculated from the encryption key and vice versa. Asymmetric algorithms use a public key and a private key. Both keys are capable of the encryption process, but the complementary paired key is required for decryption. The process is also reversible. Data encrypted with the public key requires the private key to decrypt. Asymmetric algorithms achieve confidentiality, authentication, and integrity by using this process. Asymmetric Encryption Example Encryption Key Plaintext Encrypted Encryption Plaintext Decryption Decryption Key Because neither party has a shared secret, very long key lengths must be used. Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths greater than or equal to 2,048 bits can be trusted while shorter key lengths are considered unreliable. Examples of protocols that use asymmetric key algorithms include:

3.6.7 Check Your Understanding - IP Vulnerabilities and Threats

Check your understanding of IP vulnerabilities and threats by choosing the BEST answer to the following questions.

3.7.6 Check Your Understanding - TCP and UDP Vulnerabilities

Check your understanding of TCP and UDP vulnerabilities by choosing the BEST answer to the following questions.

3.5.10 Check Your Understanding - Common Network Attacks

Check your understanding of common network attacks by choosing the BEST classification for each attack type.

3.10.10 Check Your Understanding - Cryptography

Check your understanding of cryptography by choosing the BEST answer to the following questions.

3.4.4 Check Your Understanding - Malware

Check your understanding of malware by choosing the BEST answer to the following questions.

3.9.6 Check Your Understanding - Network Security Best Practices

Check your understanding of network security best practices by choosing the BEST answer to the following questions.

3.1.4 Check Your Understanding - Current State of Cybersecurity

Check your understanding of the current state of cybersecurity by choosing the BEST answer to the following questions.

3.8.3 Video - ARP Spoofing

Click Play in the figure to view a video about ARP Spoofing.

3.5.4 Video - Access and Social Engineering Attacks

Click Play in the figure to view a video about access and social engineering attacks.

3.6.4 Video - Amplification, Reflection, and Spoofing Attacks

Click Play in the figure to view a video about amplification, reflection, and spoofing attacks.

3.5.8 Video - Denial of Service Attacks

Click Play in the figure to view a video about denial of service attacks.

3.5.2 Video - Reconnaissance Attacks

Click Play in the figure to view a video about reconnaissance attacks.

3.9.5 Content Security Appliances

Content security appliances include fine-grained control over email and web browsing for an organization's users. Cisco Email Security Appliance (ESA) The Cisco Email Security Appliance (ESA) is a special device designed to monitor Simple Mail Transfer Protocol (SMTP). The Cisco ESA is constantly updated by real-time feeds from the Cisco Talos, which detects and correlates threats and solutions by using a worldwide database monitoring system. This threat intelligence data is pulled by the Cisco ESA every three to five minutes. In the figure, a threat actor sends a phishing email. 1. Threat actor sends a phishing attack to an important host on the network. 2. The firewall forwards all email to the ESA. 3. The ESA analyzes the email, logs it, and discards it. Cisco Web Security Appliance (WSA) The Cisco Web Security Appliance (WSA) is a mitigation technology for web-based threats. It helps organizations address the challenges of securing and controlling web traffic. The Cisco WSA combines advanced malware protection, application visibility and control, acceptable use policy controls, and reporting. Cisco WSA provides complete control over how users access the internet. Certain features and applications, such as chat, messaging, video and audio, can be allowed, restricted with time and bandwidth limits, or blocked, according to the organization's requirements. The WSA can perform blacklisting of URLs, URL-filtering, malware scanning, URL categorization, web application filtering, and encryption and decryption of web traffic. In the figure, a corporate user attempts to connect to a known blacklisted site. 1. A user attempts to connect to a website. 2. The firewall forwards the website request to the WSA. 3. The WSA evaluates the URL and determines that it is a known backlisted site. The WSA discards the packet and sends an access denied message to the user.

1. The IT department is reporting that a company web server is receiving an abnormally high number of web page requests from different locations simultaneously. Which type of security attack is occurring?

DDoS

6. Which cyber attack involves a coordinated attack from a botnet of zombie computers?

DDoS

3.8.7 DHCP Attacks

DHCP Spoofing Attack A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information: Wrong default gateway - Threat actor provides an invalid gateway, or the IP address of its host to create a MITM attack. This may go entirely undetected as the intruder intercepts the data flow through the network. Wrong DNS server - Threat actor provides an incorrect DNS server address pointing the user to a malicious website. Wrong IP address - Threat actor provides an invalid IP address, invalid default gateway IP address, or both. The threat actor then creates a DoS attack on the DHCP client. Assume a threat actor has successfully connected a rogue DHCP server to a switch port on the same subnet as the target clients. The goal of the rogue server is to provide clients with false IP configuration information. Click each button for an illustration and explanation of the steps in a DHCP spoofing attack. 1. Client Broadcasts DHCP Discovery Messages In the figure, a legitimate client connects to the network and requires IP configuration parameters. The client broadcasts a DHCP Discover request looking for a response from a DHCP server. Both servers receive the message. DHCP ClientDHCP ServerRogue DHCP ServerThreat ActorDHCP DiscoverDHCP DiscoverDHCP DiscoverDHCP DiscoverDHCP DiscoverDHCP DiscoverDHCP DiscoverDHCP Discover 2. DHCP Servers Respond with Offers The figure shows how the legitimate and rogue DHCP servers each respond with valid IP configuration parameters. The client replies to the first offer received. DHCP ClientDHCP ServerRogue DHCP ServerThreat ActorDHCP OfferDHCP OfferDHCP OfferDHCP OfferDHCP OfferDHCP Offer 3. Client Accepts Rogue DHCP Request In this scenario, the client received the rogue offer first. It broadcasts a DHCP request accepting the parameters from the rogue server, as shown in the figure. The legitimate and rogue server each receive the request. DHCP ClientDHCP ServerRogue DHCP ServerThreat ActorDHCP RequestDHCP RequestDHCP RequestDHCP RequestDHCP RequestDHCP RequestDHCP RequestDHCP Request 4. Rogue DHCP Acknowledges the Request However, only the rogue server unicasts a reply to the client to acknowledge its request, as shown in the figure. The legitimate server stops communicating with the client because the request has already been acknowledged. DHCP ClientDHCP ServerRogue DHCP ServerThreat ActorDHCP AckDHCP AckDHCP AckDHCP Ack

3.8.6 DHCP

DHCP servers dynamically provide IP configuration information to clients. The figure shows the typical sequence of a DHCP message exchange between client and server. Normal DHCP Operation IP address: 192.168.10.15Subnet mask: 255.255.255.0Default Gateway: 192.168.10.1Lease time: 3 days ServerClientDHCPOFFERUnicastDHCPACKUnicastDHCPDISCOVERBroadcastDHCPREQUESTBroadcast"I would like to request an address.""I am DHCPsvr1. Here is an address I can offer.""I accept the IP address offer.""Your acceptance is acknowledged." In the figure, a client broadcasts a DHCP discover message. The DHCP server responds with a unicast offer that includes addressing information the client can use. The client broadcasts a DHCP request to tell the server that the client accepts the offer. The server responds with a unicast acknowledgment accepting the request.

Digital Signature Standard (DSS)and Digital Signature Algorithm (DSA)

DSS specifies DSA as the algorithm for digital signatures. DSA is a public key algorithm based on the ElGamal signature scheme. Signature creation speed is similar to RSA, but is 10 to 40 times slower for verification. Key Length 512 - 1024

2. Which penetration testing tool is used by black hats to reverse engineer binary files when writing exploits? They are also used by white hats when analyzing malware.

Debuggers

Attack Type

Description

Data Loss Vectors

Description

Hacker Type

Description

Hacking Term

Description

SHA-2

Developed by the NSA. It includes SHA-224 (224 bit), SHA-256 (256 bit), SHA-384 (384 bit), and SHA-512 (512 bit). If you are using SHA-2, then the SHA-256, SHA-384, and SHA-512 algorithms should be used whenever possible.

SHA Hashing Algorithm

Developed by the U.S. National Security Agency (NSA) in 1995. It is very similar to the MD5 hash functions. Several versions exist. SHA-1 creates a 160-bit hashed message and is slightly slower than MD5. SHA-1 has known flaws and is a legacy algorithm. Plaintext Message SHA Hash Function Hashed Message In the figure, a plaintext message is passed through a SHA hash function. The result is a hashed message.

3.10.9 Diffie-Hellman

Diffie-Hellman (DH) is an asymmetric mathematical algorithm where two computers generate an identical shared secret key without having communicated before. The new shared key is never actually exchanged between the sender and receiver. However, because both parties know it, the key can be used by an encryption algorithm to encrypt traffic between the two systems. Here are three examples of instances when DH is commonly used: Data is exchanged using an IPsec VPN. Used when data is exchanged using an SSL or TLS VPN. SSH data is exchanged. To help illustrate how DH operates, refer to the figure. ++==++== Agreed on ColorAlice's Secret ColorAlice's Public ColorBob's Public ColorAlice's Secret ColorAlice's Final ColorAliceAgreed on ColorBob's Secret ColorBob's Public ColorAlice's Public ColorBob's Secret ColorBob's Final ColorBob The colors in the figure will be used instead of complex long numbers to simplify the DH key agreement process. The DH key exchange begins with Alice and Bob agreeing on an arbitrary common color that does not need to be kept secret. The agreed-on color in our example is yellow. Next, Alice and Bob will each select a secret color. Alice chose red while Bob chose blue. These secret colors will never be shared with anyone. The secret color represents the chosen secret private key of each party. Alice and Bob now mix the shared common color (yellow) with their respective secret color to produce a public color. Therefore, Alice will mix the yellow with her red color to produce a public color of orange. Bob will mix the yellow and the blue to produce a public color of green. Alice sends her public color (orange) to Bob and Bob sends his public color (green) to Alice. Alice and Bob each mix the color they received with their own, original secret color (Red for Alice and blue for Bob.). The result is a final brown color mixture that is identical to the partner's final color mixture. The brown color represents the resulting shared secret key between Bob and Alice. The security of DH is based on the fact that it uses very large numbers in its calculations. For example, a DH 1024-bit number is roughly equal to a decimal number of 309 digits. Considering that a billion is 10 decimal digits (1,000,000,000), one can easily imagine the complexity of working with not one, but multiple 309 digit decimal numbers. Unfortunately, asymmetric key systems are extremely slow for any sort of bulk encryption. This is why it is common to encrypt the bulk of the traffic using a symmetric algorithm, such as 3DES or AES and use the DH algorithm to create keys that will be used by the encryption algorithm.

DoS Attack

DoS attacks are a major risk because they interrupt communication and cause significant loss of time and money. These attacks are relatively simple to conduct, even by an unskilled threat actor. Click Play in the figure to view the animation of a DoS attack.

DNS Domain Shadowing Attacks

Domain shadowing involves the threat actor gathering domain account credentials in order to silently create multiple sub-domains to be used during the attacks. These subdomains typically point to malicious servers without alerting the actual owner of the parent domain.

3. Which network security device filters known and suspicious internet malware sites?

ESA/WSA

IP Services 3.8.1 ARP Vulnerabilities

Earlier in this module you learned about vulnerabilities with IP, TCP and UDP. The TCP/IP protocol suite was never built for security. Therefore, the services that IP uses for addressing functions such as ARP, DNS, and DHCP, are also not secure, as you will learn in this topic. Hosts broadcast an ARP Request to other hosts on the segment to determine the MAC address of a host with a particular IP address. All hosts on the subnet receive and process the ARP Request. The host with the matching IP address in the ARP Request sends an ARP Reply. Click Play in the figure to see the ARP process at work. The ARP Process Any client can send an unsolicited ARP Reply called a "gratuitous ARP." This is often done when a device first boots up to inform all other devices on the local network of the new device's MAC address. When a host sends a gratuitous ARP, other hosts on the subnet store the MAC address and IP address contained in the gratuitous ARP in their ARP tables. This feature of ARP also means that any host can claim to be the owner of any IP or MAC. A threat actor can poison the ARP cache of devices on the local network, creating an MITM attack to redirect traffic. The goal is to target a victim host, and have it change its default gateway to the threat actor's device. This positions the threat actor in between the victim and all other systems outside of the local subnet.

Cryptography 3.10.1 Video - Cryptography

Early in the previous topic, cryptography is mentioned as part of the CIA information security triad. In this topic you will get a deeper dive into the many types of cryptography and how they are used to secure the network. Click Play in the figure to view a video about cryptography.

Elliptic curve techniques

Elliptic curve cryptography can be used to adapt many cryptographic algorithms, such as Diffie-Hellman or ElGamal. The main advantage of elliptic curve cryptography is that the keys can be much smaller. Key Length 224

4. Which penetration testing tool is used by white hat hackers to sniff out any trace of evidence existing in a computer?

Forensic Tools

Fuzzers to Search Vulnerabilities

Fuzzers are tools used by threat actors to discover a computer's security vulnerabilities. Examples of fuzzers include Skipfish, Wapiti, and W3af.

Data Confidentiality

Guarantees that only authorized users can read the message. If the message is intercepted, it cannot be deciphered within a reasonable amount of time. Data confidentiality is implemented using symmetric and asymmetric encryption algorithms.

Origin Authentication

Guarantees that the message is not a forgery and does actually come from whom it states. Many modern networks ensure authentication with protocols, such as hash message authentication code (HMAC).

Data Integrity

Guarantees that the message was not altered. Any changes to data in transit will be detected. Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3). The MD5 message digest algorithm is still widely in use but it is inherently insecure and creates vulnerabilities in a network. The use of MD5 should be avoided.

Data Non-Repudiation

Guarantees that the sender cannot repudiate, or refute, the validity of a message sent. Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how that message is treated.

3.10.3 Data Integrity

Hash functions are used to ensure the integrity of a message. They guarantee that message data has not changed accidentally. In the figure, the sender is sending a $100 money transfer to Alex. Pay to Alex$100.00One Hundred and 00/100 Dollars4ehlDx67NMop9Starting HashPay to Jeremy$1000.00One Thousand and 00/100 Dollars12ehqPx67NMoXEnding HashDifferent The hash algorithm works as follows: 1. The sending device inputs the message into a hashing algorithm and computes its fixed-length hash of 4ehiDx67NMop9. 2. This hash is then attached to the message and sent to the receiver. Both the message and the hash are in plaintext. 3. The receiving device removes the hash from the message and inputs the message into the same hashing algorithm. If the computed hash is equal to the one that is attached to the message, the message has not been altered during transit. If the hashes are not equal, as shown in the figure, then the integrity of the message can no longer be trusted.

4. Which attack is being used when threat actors use pings to discover subnets and hosts on a protected network, to generate flood attacks, and to alter host routing tables?

ICMP Attack

3.6.6 Address Spoofing Attacks

IP address spoofing attacks occur when a threat actor creates packets with false source IP address information to either hide the identity of the sender, or to pose as another legitimate user. The threat actor can then gain access to otherwise inaccessible data or circumvent security configurations. Spoofing is usually incorporated into another attack such as a Smurf attack. Spoofing attacks can be non-blind or blind:

3.6.2 IPv4 and IPv6

IP does not validate whether the source IP address contained in a packet actually came from that source. For this reason, threat actors can send packets using a spoofed source IP address. Threat actors can also tamper with the other fields in the IP header to carry out their attacks. Security analysts must understand the different fields in both the IPv4 and IPv6 headers. Some of the more common IP related attacks are shown in the table.

5. Which network security device monitors incoming and outgoing traffic looking for malware, network attack signatures, and if it recognizes a threat, it can immediately stop it?

IPS

Compromised-Key Attack

If a threat actor obtains a secret key, that key is referred to as a compromised key. A compromised key can be used to gain access to a secured communication without the sender or receiver being aware of the attack.

Unencrypted Devices

If the data is not stored using an encryption algorithm, then the thief can retrieve valuable confidential data.

Buffer Overflow Attack

In a buffer overflow attack, the threat actor exploits the buffer memory and overwhelms it with unexpected values. This usually renders the system inoperable, creating a DoS attack. The figure shows that the threat actor is sending many packets to the victim in an attempt to overflow the victim's buffer.

Man-in-the Attack Example

In a man-in-the-middle attack, the threat actor is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties. The figure displays an example of a man-in-the-middle attack.

Password Attacks

In a password attack, the threat actor attempts to discover critical system passwords using various methods. Password attacks are very common and can be launched using a variety of password cracking tools.

Port Redirection Example

In a port redirection attack, a threat actor uses a compromised system as a base for attacks against other targets. The example in the figure shows a threat actor using SSH (port 22) to connect to a compromised Host A. Host A is trusted by Host B and, therefore, the threat actor can use Telnet (port 23) to access it.

Trust Exploitation Example

In a trust exploitation attack, a threat actor uses unauthorized privileges to gain access to a system, possibly compromising the target. Click Play in the figure to view an example of trust exploitation.

Spoofing Attacks

In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing. These spoofing attacks will be discussed in more detail later in this module Other Access attacks include: Trust exploitations Port redirections Man-in-the-middle attacks Buffer overflow attacks

Verifying the HMAC Value

In the figure, the receiving device removes the digest from the message and uses the plaintext message with its secret key as input into the same hashing function. If the digest that is calculated by the receiving device is equal to the digest that was sent, the message has not been altered. Additionally, the origin of the message is authenticated because only the sender possesses a copy of the shared secret key. The HMAC function has ensured the authenticity of the message. The figure shows verifying the h m a c value 4ehIDx67NMop9 Pay to Terry Smith..........................$100.00 One Hundred and xx/100...........DollarsReceived DataSecret KeyIf the generated HMAC matches the sent HMAC, then integrity and authenticity have been verified. If they do not match, discard the message.HMAC (Authenticated Fingerprint)Hash Function

Spoofed Gratuitous ARP Replies

In the figure, the threat actor sends two spoofed gratuitous ARP Replies using its own MAC address for the indicated destination IP addresses. PC-A updates its ARP cache with its default gateway which is now pointing to the threat actor's host MAC address. R1 also updates its ARP cache with the IP address of PC-A pointing to the threat actor's MAC address. The threat actor's host is executing an ARP poisoning attack. The ARP poisoning attack can be passive or active. Passive ARP poisoning is where threat actors steal confidential information. Active ARP poisoning is where threat actors modify data in transit, or inject malicious data. The network topology is the same as that described in 3.8.2-1. It shows the threat actor host has sent two ARP replies. One reads 192.168.10.1 has EE:EE:EE:EE:EE:EE. The second one reads 192.168.10.10 has EE:EE:EE:EE:EE:EE. This has caused PC-A to change its ARP cache to map IP address 192.168.10.1 to MAC address EE:EE:EE:EE:EE:EE and R1 to change its ARP cache to map IP address 192.168.10.10 to MAC EE:EE:EE:EE:EE:EE. The ARP cache on the threat actor host has the same two entries; IP address 192.168.10.10 mapped to MAC address AA:AA:AA:AA:AA:AA and IP address 192.168.10.1 mapped to MAC A1:A1:A1:A1:A1:A1. PC-AR1 IP: 192.168.10.10MAC: AA:AA:AA:AA:AA:AAIP: 192.168.10.254MAC: EE:EE:EE:EE:EE:EEIP: 192.168.10.1MAC: A1:A1:A1:A1:A1:A1Threat ActorARP Reply:192.168.10.1 has EE:EE:EE:EE:EE:EEARP Reply:192.168.10.10 has EE:EE:EE:EE:EE:EEARP Cache on PC-AARP Cache on PC-AIP AddressMAC Address192.168.10.1EE:EE:EE:EE:EE:EE ARP Cache on R1ARP Cache on R1IP AddressMAC Address192.168.10.10EE:EE:EE:EE:EE:EE ARP Cache on Threat Actor HostARP Cache on Threat Actor HostIP AddressMAC Address192.168.10.10AA:AA:AA:AA:AA:AA192.168.10.1A1:A1:A1:A1:A1:A1 Note: There are many tools available on the internet to create ARP MITM attacks including dsniff, Cain & Abel, ettercap, Yersinia, and others.

Module Practice and Quiz 3.11.1 Packet Tracer - Network Security Exploration

In this Packet Tracer Physical Mode (PTPM) activity, you will explore and implement several security procedures in different locations within the city of Greenville, North Carolina. Included are networks in a Data Center, an ISP, a Coffee Shop, and a Home. The Data Center is provisioned for environmental and physical security. There is also software included to maintain access control. You will install an Internet of Things (IoT) smoke detector. The Coffee Shop offers free wireless access to their patrons. You will implement a VPN to secure traffic. The Home includes an office, a student's bedroom, and a living room. You will configure two home wireless LANs (WLANs) to require authentication for two different user types: family members and guests. These networks will also be configured with MAC address filtering to restrict access.

ARP Reply

In this figure, R1 updates its ARP cache with the IP and MAC addresses of PC-A. R1 sends an ARP Reply to PC-A, which then updates its ARP cache with the IP and MAC addresses of R1. The network topology is the same as that described in 3.8.2-1. R1 is sending an ARP reply that reads 192.168.10.1 has A1:A1:A1:A1:A1:A1. The ARP cache on PC-A now has a mapping of IP address 192.168.10.1 to MAC address A1:A1:A1:A1:A1:A1. The ARP cache on R1 has a mapping of IP address 192.168.10.10 to MAC address AA:AA:AA:AA:AA:AA. The ARP cache on the threat actor host has two entries; IP address 192.168.10.10 mapped to MAC address AA:AA:AA:AA:AA:AA and IP address 192.168.10.1 mapped to MAC A1:A1:A1:A1:A1:A1. PC-AR1 IP: 192.168.10.10MAC: AA:AA:AA:AA:AA:AAIP: 192.168.10.254MAC: EE:EE:EE:EE:EE:EEIP: 192.168.10.1MAC: A1:A1:A1:A1:A1:A1Threat ActorARP Reply:192.168.10.1 has A1:A1:A1:A1:A1:A1ARP Cache on PC-AARP Cache on PC-AIP AddressMAC Address192.168.10.1A1:A1:A1:A1:A1:A ARP Cache on R1ARP Cache on R1IP AddressMAC Address192.168.10.10AA:AA:AA:AA:AA:AA ARP Cache on Threat Actor HostARP Cache on Threat Actor HostIP AddressMAC Address192.168.10.10AA:AA:AA:AA:AA:AA192.168.10.1A1:A1:A1:A1:A1:A1 Note: There are many tools available on the internet to create ARP MITM attacks including dsniff, Cain & Abel, ettercap, Yersinia, and others.

3.8.8 Lab - Explore DNS Traffic

In this lab, you will complete the following objectives: Capture DNS Traffic Explore DNS Query Traffic Explore DNS Response Traffic

3.5.7 Lab - Social Engineering

In this lab, you will research examples of social engineering and identify ways to recognize and prevent it.

Email/Social Networking

Intercepted email or IM messages could be captured and reveal confidential information.

Social Engineering Toolkit (SET)

Is designed to help white hat hackers and other network security professionals create social engineering attacks to test their own networks.

Network Security Best Practices 3.9.1 Confidentiality, Integrity, and Availability

It is true that the list of network attack types is long. But there are many best practices that you can use to defend your network, as you will learn in this topic. Network security consists of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Most organizations follow the CIA information security triad: Confidentiality - Only authorized individuals, entities, or processes can access sensitive information. It may require using cryptographic encryption algorithms such as AES to encrypt and decrypt data. Integrity - Refers to protecting data from unauthorized alteration. It requires the use of cryptographic hashing algorithms such as SHA. Availability - Authorized users must have uninterrupted access to important resources and data. It requires implementing redundant services, gateways, and links. CIA Triad ConfidentialityIntegrityAvailability

1. Which attack is being used when threat actors position themselves between a source and destination to transparently monitor, capture, and control the communication?

MiTM Attack

3.7.3 TCP Attacks

Network applications use TCP or UDP ports. Threat actors conduct port scans of target devices to discover which services they offer. TCP SYN Flood Attack The TCP SYN Flood attack exploits the TCP three-way handshake. The figure shows a threat actor continually sending TCP SYN session request packets with a randomly spoofed source IP address to a target. The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet. Those responses never arrive. Eventually the target host is overwhelmed with half-open TCP connections, and TCP services are denied to legitimate users. TCP SYN Flood Attack 1. Threat actor sends multiple SYN requests to a web server. Web Server 2. Web server sends SYN-ACK replies and waits to complete three-way handshake. Web Server. 3. Valid user sends SYN request. Web Server is unavailable. Web Server 1. The threat actor sends multiple SYN requests to a web server. 2. The web server replies with SYN-ACKs for each SYN request and waits to complete the three-way handshake. The threat actor does not respond to the SYN-ACKs. 3. A valid user cannot access the web server because the web server has too many half-opened TCP connections. TCP Reset Attack A TCP reset attack can be used to terminate TCP communications between two hosts. TCP can terminate a connection in a civilized (i.e., normal) manner and uncivilized (i.e., abrupt) manner. The figure displays the civilized manner when TCP uses a four-way exchange consisting of a pair of FIN and ACK segments from each TCP endpoint to close the TCP connection. The uncivilized manner is when a host receives an TCP segment with the RST bit set. This is an abrupt way to tear down the TCP connection and inform the receiving host to immediately stop using the TCP connection. A threat actor could do a TCP reset attack and send a spoofed packet containing a TCP RST to one or both endpoints. Terminating a TCP Connection A. 1. Send FIN ACK received FIN received 4. Send ACK B. FIN received 2. Send ACK 3. Send FIN ACK received A sends ACK response to B Terminating a TCP session uses the following four-way exchange process: 1. When the client has no more data to send in the stream, it sends a segment with the FIN flag set. 2. The server sends an ACK to acknowledge the receipt of the FIN to terminate the session from client to server. 3. The server sends a FIN to the client to terminate the server-to-client session. 4. The client responds with an ACK to acknowledge the FIN from the server.

3.11.2 What did I learn in this module?

Network security breaches can disrupt e-commerce, cause the loss of business data, threaten people's privacy, and compromise the integrity of information. Assets must be identified and protected. Vulnerabilities must be addressed before they become a threat and are exploited. Mitigation techniques are required before, during, and after an attack. An attack vector is a path by which a threat actor can gain access to a server, host, or network. Attack vectors originate from inside or outside the corporate network. The term 'threat actor' includes hackers and any device, person, group, or nation state that is, intentionally or unintentionally, the source of an attack. There are "White Hat", "Gray Hat", and "Black Hat" hackers. Cyber criminals operate in an underground economy where they buy, sell, and trade attack toolkits, zero day exploit code, botnet services, banking Trojans, keyloggers, and more. Hacktivists tend to rely on fairly basic, freely available tools. State-sponsored hackers create advanced, customized attack code, often using previously undiscovered software vulnerabilities called zero-day vulnerabilities. Attack tools have become more sophisticated and highly automated. These new tools require less technical knowledge to implement. Ethical hacking involves many different types of tools used to test the network and keep its data secure. To validate the security of a network and its systems, many network penetration testing tools have been developed. Common types of attacks are: eavesdropping, data modification, IP address spoofing, password-based, denial-of-service, man-in-the-middle, compromised-key, and sniffer. The three most common types of malware are worms, viruses, and Trojan horses. A worm executes arbitrary code and installs copies of itself in the memory of the infected computer. A virus executes a specific unwanted, and often harmful, function on a computer. A Trojan horse is non-self-replicating. When an infected application or file is downloaded and opened, the Trojan horse can attack the end device from within. Other types of malware are: adware, ransomware, rootkit, and spyware. Networks are susceptible to the following types of attacks: reconnaissance, access, and DoS. Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities. Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services. Types of access attacks are: password, spoofing, trust exploitations, port redirections, man-in-the-middle, and buffer overflow. Social engineering is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information. DoS and DDoS are attacks that create some sort of interruption of network services to users, devices, or applications. Threat actors can send packets using a spoofed source IP address. Threat actors can also tamper with the other fields in the IP header to carry out their attacks. IP attack techniques include: ICMP, amplification and reflection, address spoofing, MITM, and session hijacking. Threat actors use ICMP for reconnaissance and scanning attacks. They launch information-gathering attacks to map out a network topology, discover which hosts are active (reachable), identify the host operating system (OS fingerprinting), and determine the state of a firewall. Threat actors often use amplification and reflection techniques to create DoS attacks. TCP segment information appears immediately after the IP header. TCP provides reliable delivery, flow control, and stateful communication. TCP attacks include: TCPSYN Flood attack, TCP reset attack, and TCP Session hijacking. UDP is commonly used by DNS, TFTP, NFS, and SNMP. It is also used with real-time applications such as media streaming or VoIP. UDP is not protected by encryption. UDP Flood attacks send a flood of UDP packets, often from a spoofed host, to a server on the subnet. The result is very similar to a DoS attack. Any client can send an unsolicited ARP Reply called a "gratuitous ARP." This mean that any host can claim to be the owner of any IP or MAC. A threat actor can poison the ARP cache of devices on the local network, creating an MITM attack to redirect traffic. ARP cache poisoning can be used to launch various man-in-the-middle attacks. DNS attacks include: open resolver attacks, stealth attacks, domain shadowing attacks, and tunneling attacks. To stop DNS tunneling, the network administrator must use a filter that inspects DNS traffic. A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. Most organizations follow the CIA information security triad: confidentiality, integrity, and availability. To ensure secure communications across both public and private networks, you must secure devices including routers, switches, servers, and hosts. This is known as defense-in-depth. A firewall is a system, or group of systems, that enforces an access control policy between networks. To defend against fast-moving and evolving attacks, you may need an intrusion detection systems (IDS), or the more scalable intrusion prevention systems (IPS). The four elements of secure communications are data integrity, origin authentication, data confidentiality, and data non-repudiation. Hash functions guarantee that message data has not changed accidentally or intentionally. Three well-known hash functions are MD5 with 128-bit digest, SHA hashing algorithm, and SHA-2. To add authentication to integrity assurance, use a keyed-hash message authentication code (HMAC). HMAC is calculated using any cryptographic algorithm that combines a cryptographic hash function with a secret key. Symmetric encryption algorithms using DES, 3DES, AES, SEAL, and RC are based on the premise that each communicating party knows the pre-shared key. Data confidentiality can also be ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA) and the public key infrastructure (PKI). Diffie-Hellman (DH) is an asymmetric mathematical algorithm where two computers generate an identical shared secret key without having communicated before.

3.10.2 Securing Communications

Organizations must provide support to secure the data as it travels across links. This may include internal traffic, but it is even more important to protect the data that travels outside of the organization to branch sites, telecommuter sites, and partner sites. These are the four elements of secure communications:

Rivest, Shamir, and Adleman encryption algorithms (RSA)

RSA is for public-key cryptography that is based on the current difficulty of factoring very large numbers. It is the first algorithm known to be suitable for signing as well as encryption. It is widely used in electronic commerce protocols and is believed to be secure given sufficiently long keys and the use of up-to-date implementations. Key Length 512 to 2048

6. Which malware denies access to the infected computer system and demands payment before the restriction is removed?

Ransomware

Ransomware

Ransomware typically denies a user access to their files by encrypting the files and then displaying a message demanding a ransom for the decryption key. Users without up-to-date backups must pay the ransom to decrypt their files. Payment is usually made using wire transfer or crypto currencies such as Bitcoin.

3. What type of attack is port scanning?

Reconnaissance

3.5.3 Reconnaissance Attacks

Reconnaissance is information gathering. It is analogous to a thief surveying a neighborhood by going door-to-door pretending to sell something. What the thief is actually doing is looking for vulnerable homes to break into, such as unoccupied residences, residences with easy-to-open doors or windows, and those residences without security systems or security cameras. Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities. Recon attacks precede access attacks or DoS attacks. Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are described in the table.

4. Which encryption method is a stream cipher and is used to secure web traffic in SSL and TLS?

Rivest cipher

5. Which malware is installed on a compromised system and provides privileged access to the threat actor?

Rootkit

Rootkit

Rootkits are used by threat actors to gain administrator account-level access to a computer. They are very difficult to detect because they can alter firewall, antivirus protection, system files, and even OS commands to conceal their presence. They can provide a backdoor to threat actors giving them access to the PC, and allowing them to upload files, and install new software to be used in a DDoS attack. Special rootkit removal tools must be used to remove them, or a complete OS re-install may be required.

Software-Optimized Encryption Algorithm (SEAL)

SEAL is a faster alternative symmetric encryption algorithm to DES, 3DES, and AES. It uses a 160-bit encryption key and has a lower impact on the CPU compared to other software-based algorithms.

SHA-3

SHA-3 is the newest hashing algorithm and was introduced by NIST as an alternative and eventual replacement for the SHA-2 family of hashing algorithms. SHA-3 includes SHA3-224 (224 bit), SHA3-256 (256 bit), SHA3-384 (384 bit), and SHA3-512 (512 bit). The SHA-3 family are next-generation algorithms and should be used whenever possible. While hashing can be used to detect accidental changes, it cannot be used to guard against deliberate changes that are made by a threat actor. There is no unique identifying information from the sender in the hashing procedure. This means that anyone can compute a hash for any data, as long as they have the correct hash function. For example, when the message traverses the network, a potential attacker could intercept the message, change it, recalculate the hash, and append it to the message. The receiving device will only validate against whatever hash is appended. Therefore, hashing is vulnerable to man-in-the-middle attacks and does not provide security to transmitted data. To provide integrity and origin authentication, something more is required. Note: Hashing algorithms only protect against accidental changes and does not protect the data from changes deliberately made by a threat actor.

2. Which attack is being used when threat actors gain access to the physical network, and then use an MiTM attack to capture and manipulate a legitimate user's traffic?

Session Hijacking

Spyware

Similar to adware, but used to gather information about the user and send to threat actors without the user's consent. Spyware can be a low threat, gathering browsing data, or it can be a high threat capturing personal and financial information.

1. What type of attack is tailgating?

Social Engineering

3.5.6 Social Engineering Attacks

Social engineering is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information. Some social engineering techniques are performed in-person while others may use the telephone or internet. Social engineers often rely on people's willingness to be helpful. They also prey on people's weaknesses. For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access. The threat actor could appeal to the employee's vanity, invoke authority using name-dropping techniques, or appeal to the employee's greed. Information about social engineering techniques is shown in the table.

Something for Something

Sometimes called "Quid pro quo", this is when a threat actor requests personal information from a party in exchange for something such as a gift.

3. Which malware is used to gather information about a user and then, without the user's consent, sends the information to another entity?

Spyware

2. Which encryption method encrypts plaintext one byte or one bit at a time?

Stream cipher

3. Which encryption method uses the same key to encrypt and decrypt data?

Symmetric

3.10.7 Symmetric Encryption

Symmetric algorithms use the same pre-shared key to encrypt and decrypt data. A pre-shared key, also called a secret key, is known by the sender and receiver before any encrypted communications can take place. To help illustrate how symmetric encryption works, consider an example where Alice and Bob live in different locations and want to exchange secret messages with one another through the mail system. In this example, Alice wants to send a secret message to Bob. In the figure, Alice and Bob have identical keys to a single padlock. These keys were exchanged prior to sending any secret messages. Alice writes a secret message and puts it in a small box that she locks using the padlock with her key. She mails the box to Bob. The message is safely locked inside the box as the box makes its way through the post office system. When Bob receives the box, he uses his key to unlock the padlock and retrieve the message. Bob can use the same box and padlock to send a secret reply to Alice. Symmetric Encryption Example KeyKeyPre-Shared key$!@#IQEncryptMessageDecryptMessage Today, symmetric encryption algorithms are commonly used with VPN traffic. This is because symmetric algorithms use less CPU resources than asymmetric encryption algorithms. Encryption and decryption of data is fast when using a VPN. When using symmetric encryption algorithms, like any other type of encryption, the longer the key, the longer it will take for someone to discover the key. Most encryption keys are between 112 and 256 bits. To ensure that the encryption is safe, use a minimum key length of 128 bits. Use a longer key for more secure communications. Well-known symmetric encryption algorithms are described in the table.

1. Which attack exploits the three-way handshake?

TCP SYN Flood attack

Flow control

TCP implements flow control to address this issue. Rather than acknowledge one segment at a time, multiple segments can be acknowledged with a single acknowledgment segment.

Reliable delivery

TCP incorporates acknowledgments to guarantee delivery, instead of relying on upper-layer protocols to detect and resolve errors. If a timely acknowledgment is not received, the sender retransmits the data. Requiring acknowledgments of received data can cause substantial delays. Examples of application layer protocols that make use of TCP reliability include HTTP, SSL/TLS, FTP, DNS zone transfers, and others.

3.7.2 TCP Services

TCP provides these services:

2. Two hosts have established a TCP connection and are exchanging data. A threat actor sends a TCP segment with the RST bit set to both hosts informing them to immediately stop using the TCP connection. Which attack is this?

TCP reset attack

3. Which attack is being used when the threat actor spoofs the IP address of one host, predicts the next sequence number, and sends an ACK to the other host?

TCP session hijacking

TCP Session Hijacking

TCP session hijacking is another TCP vulnerability. Although difficult to conduct, a threat actor takes over an already-authenticated host as it communicates with the target. The threat actor must spoof the IP address of one host, predict the next sequence number, and send an ACK to the other host. If successful, the threat actor could send, but not receive, data from the target device.

Stateful communication

TCP stateful communication between two parties occurs during the TCP three-way handshake. Before data can be transferred using TCP, a three-way handshake opens the TCP connection, as shown in the figure. If both sides agree to the TCP connection, data can be sent and received by both parties using TCP.

Diffie-Hellman (DH)

The Diffie-Hellman algorithm allows two parties to agree on a key that they can use to encrypt messages they want to send to each other. The security of this algorithm depends on the assumption that it is easy to raise a number to a certain power, but difficult to compute which power was used given the number and the outcome. Key Length 512, 1024, 2048, 3072, 4096

3.8.4 DNS Attacks

The Domain Name System (DNS) protocol defines an automated service that matches resource names, such as www.cisco.com, with the required numeric network address, such as the IPv4 or IPv6 address. It includes the format for queries, responses, and data and uses resource records (RR) to identify the type of DNS response. Securing DNS is often overlooked. However, it is crucial to the operation of a network and should be secured accordingly. DNS attacks include the following: DNS open resolver attacks DNS stealth attacks DNS domain shadowing attacks DNS tunneling attacks DNS Open Resolver Attacks Many organizations use the services of publicly open DNS servers such as GoogleDNS (8.8.8.8) to provide responses to queries. This type of DNS server is called an open resolver. A DNS open resolver answers queries from clients outside of its administrative domain. DNS open resolvers are vulnerable to multiple malicious activities described in the table.

ESA/WSA (Email Security Appliance and Web Security Appliance)

The email security appliance (ESA) filters spam and suspicious emails. The web security appliance filters known and suspicious internet malware sites.

ARP Request

The figure shows how ARP cache poisoning works. PC-A requires the MAC address of its default gateway (R1); therefore, it sends an ARP Request for the MAC address of 192.168.10.1. Network topology shows a host, PC-A with IP 192.168.10.10 and MAC AA:AA:AA:AA:AA:AA, connected to a switch connected to a router with IP 192.168.10.1 and MAC A1:A1:A1:A1:A1:A1. Also connected to the switch is a threat actor host with IP 192.168.10.254 and MAC EE:EE:EE:EE:EE:EE. The ARP Cache on PC-A does not have an entry for 192.168.10.1. The ARP cache on the threat actor host has two entries; IP address 192.168.10.10 mapped to MAC address AA:AA:AA:AA:AA:AA and IP address 192.168.10.1 mapped to MAC A1:A1:A1:A1:A1:A1. PC-A is sending an ARP request for the MAC of 192.168.10.1. PC-AR1 IP: 192.168.10.10MAC: AA:AA:AA:AA:AA:AAIP: 192.168.10.254MAC: EE:EE:EE:EE:EE:EEIP: 192.168.10.1MAC: A1:A1:A1:A1:A1:A1Threat ActorARP Request: MAC of 192.168.10.1ARP Cache on PC-AARP Cache on PC-AIP AddressMAC Address192.168.10.1???? ARP Cache on Threat Actor HostARP Cache on Threat Actor HostIP AddressMAC Address192.168.10.10AA:AA:AA:AA:AA:AA192.168.10.1A1:A1:A1:A1:A1:A1 Note: There are many tools available on the internet to create ARP MITM attacks including dsniff, Cain & Abel, ettercap, Yersinia, and others.

Cisco Router HMAC Example

The figure shows how HMACs are used by Cisco routers that are configured to use Open Shortest Path First (OSPF) routing authentication. R1 is sending a link state update (LSU) regarding a route to network 10.2.0.0/16: 1. R1 calculates the hash value using the LSU message and the secret key. 2. The resulting hash value is sent with the LSU to R2. 3. R2 calculates the hash value using the LSU and its secret key. R2 accepts the update if the hash values match. If they do not match, R2 discards the update. The figure shows a Cisco router h m a c example. 1238b0bDx67NMop98b0bDx67NMop9R1R28b0bDx67NMop9 Secret KeyLink 1Network: 10.2.0.1/16IP address: 10.2.0.1Type of link: FastEthernetCost of that link: 19Neighbors: R2OSPF LSUHashHashLSU sent to R2Link 1Network: 10.2.0.1/16IP address: 10.2.0.1Type of link: FastEthernetCost of that link: 19Neighbors: R2SHA-1 or MD5SHA-1 or MD5Secret KeyLink 1Network: 10.2.0.1/16IP address: 10.2.0.1Type of link: FastEthernetCost of that link: 19Neighbors: R2OSPF LSU

Initiate a ping sweep of the target network

The information query usually reveals the target's network address. The threat actor can now initiate a ping sweep to determine which IP addresses are active.

3DES (Triple DES)

The is the replacement for DES and repeats the DES algorithm process three times. It should be avoided if possible as it is scheduled to be retired in 2023. If implemented, use very short key lifetimes.

3.4.3 Other Types of Malware

The table shows details about many different types of malware.

Non-blind spoofing

The threat actor can see the traffic that is being sent between the host and the target. The threat actor uses non-blind spoofing to inspect the reply packet from the target victim. Non-blind spoofing determines the state of a firewall and sequence-number prediction. It can also hijack an authorized session.

Blind spoofing

The threat actor cannot see the traffic that is being sent between the host and the target. Blind spoofing is used in DoS attacks.

Amplification

The threat actor forwards ICMP echo request messages to many hosts. These messages contain the source IP address of the victim.

Perform an information query of a target

The threat actor is looking for initial information about a target. Various tools can be used, including the Google search, organizations website, whois, and more.

Run exploitation tools

The threat actor now attempts to discover vulnerable services that can be exploited. A variety of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.

IP Vulnerabilities and Threats 3.6.1 Video - Common IP and ICMP Attacks

There are even more types of attacks than the ones discussed in the previous topics. Some specifically target IP vulnerabilities, as you will learn in this topic. Click Play in the figure to view a video about common IP and ICMP attacks.

3.10.4 Hash Functions

There are four well-known hash functions. MD5 with 128-bit Digest Developed by Ron Rivest and used in a variety of internet applications, MD5 is a one-way function that produces a 128-bit hashed message. MD5 is considered to be a legacy algorithm and should be avoided and used only when no better alternatives are available. It is recommended that SHA-2 or SHA-3 be used instead. Plaintext Message MD5 Hash Function 128-bit Hashed Message In the figure, a plaintext message is passed through an MD5 hash function. The result is a 128-bit hashed message.

3.10.6 Data Confidentiality

There are two classes of encryption used to provide data confidentiality. These two classes differ in how they use keys. Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) are based on the premise that each communicating party knows the pre-shared key. Data confidentiality can also be ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA) and the public key infrastructure (PKI). Note: DES is a legacy algorithm and should not be used. 3DES should be avoided if possible.The figure highlights some differences between each encryption algorithm method. The figure shows the differences between symmetric and asymmetric encryption. Characteristics of symmetric encryption include: use the same key to encrypt and decrypt data; key lengths are short (40 bits - 256 bits); faster than asymmetric encryption; and commonly used for encrypting bulk data such as in VPN traffic. Characteristics of asymmetric encryption include: uses different keys to encrypt and decrypt data; key lengths are long (512 bits - 4096 bits); computationally tasking therefore slower than symmetric encryption; and commonly used for quick data transactions such as HTTPS when accessing your bank data.

Reflection

These hosts all reply to the spoofed IP address of the victim to overwhelm it.

Rivest ciphers (RC) series algorithms

This algorithm was developed by Ron Rivest. Several variations have been developed, but RC4 is the most prevalent in use. RC4 is a cipher that was used to secure web traffic. It has been found to have multiple vulnerabilities which have made it insecure. RC4 should not be used.

Pretty Good Privacy (PGP)

This computer program provides cryptographic privacy and authentication. It is often used to increase the security of email communications.

ASA Firewall

This dedicated device provides stateful firewall services. It ensures that internal traffic can go out and come back, but external traffic cannot initiate connections to inside hosts.

Internet Key Exchange (IKE)

This is a fundamental component of IPsec VPNs.

Data Encryption Standard (DES)

This is a legacy symmetric encryption algorithm. It uses a short key length that makes it insecure for most current uses.

Secure Socket Layer (SSL)

This is now implemented as IETF standard Transport Layer Security (TLS).

Run vulnerability scanners

This is to query the identified ports to determine the type and version of the application and operating system that is running on the host. Examples of tools include Nipper, Secuna PSI, Core Impact, Nessus v6, SAINT, and Open VAS.

Initiate a port scan of active IP addresses

This is used to determine which ports or services are available. Examples of port scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.

ICMP router discovery

This is used to inject bogus route entries into the routing table of a target host.

ICMP redirects

This is used to lure a target host into sending all traffic through a compromised device and create a MITM attack.

ICMP mask reply

This is used to map an internal IP network.

ICMP echo request and echo reply

This is used to perform host verification and DoS attacks.

ICMP unreachable

This is used to perform network reconnaissance and scanning attacks.

Shoulder surfing

This is where a threat actor inconspicuously looks over someone's shoulder to steal their passwords or other information.

Tailgating

This is where a threat actor quickly follows an authorized person into a secure location to gain access to a secure area.

Dumpster diving

This is where a threat actor rummages through trash bins to discover confidential documents.

Secure Shell (SSH)

This protocol provides a secure remote access connection to network devices.

AAA Server

This server contains a secure database of who is authorized to access and manage network devices. Network devices authenticate administrative users using this database.

Impersonation

This type of attack is where a threat actor pretends to be someone they are not to gain the trust of a victim.

Amplification and reflection attacks

Threat actors attempt to prevent legitimate users from accessing information or services using DoS and DDoS attacks.

Session hijacking

Threat actors gain access to the physical network, and then use an MITM attack to hijack a session.

3.6.5 Amplification and Reflection Attacks

Threat actors often use amplification and reflection techniques to create DoS attacks. The example in the figure illustrates how an amplification and reflection technique called a Smurf attack is used to overwhelm a target host.

Man-in-the-middle attack (MITM)

Threat actors position themselves between a source and destination to transparently monitor, capture, and control the communication. They could eavesdrop by inspecting captured packets, or alter packets and forward them to their original destination.

DNS cache poisoning attacks

Threat actors send spoofed, falsified record resource (RR) information to a DNS resolver to redirect users from legitimate sites to malicious sites. DNS cache poisoning attacks can all be used to inform the DNS resolver to use a malicious name server that is providing RR information for malicious activities.

Address spoofing attacks

Threat actors spoof the source IP address in an IP packet to perform blind spoofing or non-blind spoofing.

DNS amplification and reflection attacks

Threat actors use DoS or DDoS attacks on DNS open resolvers to increase the volume of attacks and to hide the true source of an attack. Threat actors send DNS messages to the open resolvers using the IP address of a target host. These attacks are possible because the open resolver will respond to queries from anyone asking a question.

3.6.3 ICMP Attacks

Threat actors use ICMP for reconnaissance and scanning attacks. They can launch information-gathering attacks to map out a network topology, discover which hosts are active (reachable), identify the host operating system (OS fingerprinting), and determine the state of a firewall. Threat actors also use ICMP for DoS attacks. Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks. Networks should have strict ICMP access control list (ACL) filtering on the network edge to avoid ICMP probing from the internet. Security analysts should be able to detect ICMP-related attacks by looking at captured traffic and log files. In the case of large networks, security devices such as firewalls and intrusion detection systems (IDS) detect such attacks and generate alerts to the security analysts. Common ICMP messages of interest to threat actors are listed in the table.

ICMP attacks

Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network, to generate DoS flood attacks, and to alter host routing tables.

Domain Generation Algorithms

Threat actors use this technique in malware to randomly generate domain names that can then be used as rendezvous points to their command and control (C&C) servers.

Fast Flux

Threat actors use this technique to hide their phishing and malware delivery sites behind a quickly-changing network of compromised DNS hosts. The DNS IP addresses are continuously changed within minutes. Botnets often employ Fast Flux techniques to effectively hide malicious servers from being detected.

Double IP Flux

Threat actors use this technique to rapidly change the hostname to IP address mappings and to also change the authoritative name server. This increases the difficulty of identifying the source of the attack.

3.8.5 DNS Tunneling

Threat actors who use DNS tunneling place non-DNS traffic within DNS traffic. This method often circumvents security solutions when a threat actor wishes to communicate with bots inside a protected network, or exfiltrate data from the organization, such as a password database. When the threat actor uses DNS tunneling, the different types of DNS records are altered. This is how DNS tunneling works for CnC commands sent to a botnet: 1. The command data is split into multiple encoded chunks. 2. Each chunk is placed into a lower level domain name label of the DNS query. 3. Because there is no response from the local or networked DNS for the query, the request is sent to the ISP's recursive DNS servers. 4. The recursive DNS service will forward the query to the threat actor's authoritative name server. 5. The process is repeated until all the queries containing the chunks of are sent. 6. When the threat actor's authoritative name server receives the DNS queries from the infected devices, it sends responses for each DNS query, which contain the encapsulated, encoded CnC commands. 7. The malware on the compromised host recombines the chunks and executes the commands hidden within the DNS record. To stop DNS tunneling, the network administrator must use a filter that inspects DNS traffic. Pay close attention to DNS queries that are longer than average, or those that have a suspicious domain name. DNS solutions, like Cisco OpenDNS, block much of the DNS tunneling traffic by identifying suspicious domains.

3.10.5 Origin Authentication

To add authentication to integrity assurance, use a keyed-hash message authentication code (HMAC). HMAC uses an additional secret key as input to the hash function. Click each button for an illustration and explanation about origin authentication using HMAC.

3.9.4 IPS

To defend against fast-moving and evolving attacks, you may need cost-effective detection and prevention systems, such as intrusion detection systems (IDS), or the more scalable intrusion prevention systems (IPS). The network architecture integrates these solutions into the entry and exit points of the network. IDS and IPS technologies share several characteristics, as shown in the figure. IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in the form of several different devices: A router configured with Cisco IOS IPS software A device specifically designed to provide dedicated IDS or IPS services A network module installed in an adaptive security appliance (ASA), switch, or router IPS Operation The operation shows how an IPS handles denied traffic. 1. The threat actor sends a packet destined for the target laptop. 2. The IPS intercepts the traffic and evaluates it against known threats and the configured policies. 3. The IPS sends a log message to the management console. 4. The IPS drops the packet. IDS and IPS technologies detect patterns in network traffic using signatures. A signature is a set of rules that an IDS or IPS uses to detect malicious activity. Signatures can be used to detect severe breaches of security, to detect common network attacks, and to gather information. IDS and IPS technologies can detect atomic signature patterns (single-packet) or composite signature patterns (multi-packet).

3.9.2 The Defense-in-Depth Approach

To ensure secure communications across both public and private networks, you must secure devices including routers, switches, servers, and hosts. Most organizations employ a defense-in-depth approach to security. This is also known as a layered approach. It requires a combination of networking devices and services working together. Consider the network in the figure. Protecting Against Network Attacks Several security devices and services are implemented to protect an organization's users and assets against TCP/IP threats.

1. Which encryption method repeats an algorithm process three times and is considered very trustworthy when implemented using very short key lifetimes?

Triple DES or 3DES

2. Which malware is non-self-replicating type of malware? It often contains malicious code that is designed to look like something else, such as a legitimate application or file. It attacks the device from within.

Trojan Horse

Keylogger Trojan Horse

Trojan horse actively attempts to steal confidential information, such as credit card numbers, by recording key strokes entered into a web form.

4. A program sends a flood of UDP packets from a spoofed host to a server on the subnet sweeping through all the known UDP ports looking for closed ports. This will cause the server to reply with an ICMP port unreachable message. Which attack is this?

UDP flood attack

3.7.4 UDP Segment Header and Operation

UDP is commonly used by DNS, TFTP, NFS, and SNMP. It is also used with real-time applications such as media streaming or VoIP. UDP is a connectionless transport layer protocol. It has much lower overhead than TCP because it is not connection-oriented and does not offer the sophisticated retransmission, sequencing, and flow control mechanisms that provide reliability. The UDP segment structure, shown in the figure, is much smaller than TCP's segment structure. UDP segment structure includes the following in order: source port (16), destination port (16), length (16), and checksum (16) followed by the application layer data (size varies) 8 BytesBit (0)Bit (15)Bit (16)Bit (31)Source Port (16)Destination Port (16)Length (16)Checksum (16)Application Layer Data (Size varies) Although UPD is normally called unreliable, in contrast to TCP's reliability, this does not mean that applications that use UDP are always unreliable, nor does it mean that UDP is an inferior protocol. It means that these functions are not provided by the transport layer protocol and must be implemented elsewhere if required. The low overhead of UDP makes it very desirable for protocols that make simple request and reply transactions. For example, using TCP for DHCP would introduce unnecessary network traffic. If no response is received, the device resends the request.

3.7.5 UDP Attacks

UDP is not protected by any encryption. You can add encryption to UDP, but it is not available by default. The lack of encryption means that anyone can see the traffic, change it, and send it on to its destination. Changing the data in the traffic will alter the 16-bit checksum, but the checksum is optional and is not always used. When the checksum is used, the threat actor can create a new checksum based on the new data payload, and then record it in the header as a new checksum. The destination device will find that the checksum matches the data without knowing that the data has been altered. This type of attack is not widely used. UDP Flood Attacks You are more likely to see a UDP flood attack. In a UDP flood attack, all the resources on a network are consumed. The threat actor must use a tool like UDP Unicorn or Low Orbit Ion Cannon. These tools send a flood of UDP packets, often from a spoofed host, to a server on the subnet. The program will sweep through all the known ports trying to find closed ports. This will cause the server to reply with an ICMP port unreachable message. Because there are many closed ports on the server, this creates a lot of traffic on the segment, which uses up most of the bandwidth. The result is very similar to a DoS attack.

Symmetric Encryption

Use the same key to encrypt and decrypt data. Key lengths are short (40 bits - 256 bits). Faster than asymmetric encryption. Commonly used for encrypting bulk data such as in VPN traffic.

Asymmetric Encryption

Uses different keys to encrypt and decrypt data. Key lengths are long (512 bits - 4096 bits). Computationally taxing therefore slower than symmetric encryption. Commonly used for quick data transactions such as HTTPS when accessing your bank data.

4. Which network security device is used to provide secure services with corporate sites and remote access support for remote users using secure encrypted tunnels?

VPN

Script virus

Virus attacks the OS interpreter which is used to execute scripts.

Boot sector virus

Virus attacks the boot sector, file partition table, or file system.

Firmware virus

Virus attacks the device firmware.

Program virus

Virus inserts itself in another executable program.

Macro virus

Virus uses the MS Office or other applications macro feature maliciously.

2. Which security term is used to describe a weakness in a system, or its design, that could be exploited by a threat?

Vulnerability

TCP and UDP Vulnerabilities 3.7.1 TCP Segment Header

While some attacks target IP, this topic discusses attacks that target TCP and UDP. TCP segment information appears immediately after the IP header. The fields of the TCP segment and the flags for the Control Bits field are displayed in the figure. The diagram shows the fields of a TCP segment header. The fields and their bit length are: Source port (16), destination port (16), sequence number (32), acknowledgement number (32), header length (4), reserved (6), control bits (6), window (16), checksum (16), urgent (16), options (0 or 32 if any). The header fields are followed by the application layer data (size varies). 20 BytesBit (0)Bit (15)Bit (16)Bit (31)Source Port (16)Destination Port (16)Sequence Number (32)Acknowledgment Number (32)Header Length (4)Window (16)Checksum (16)Urgent (16)Options (0 or 32 if any)Application Layer Data (Size varies)Reserved (6)ControlBits (6) The following are the six control bits of the TCP segment: URG - Urgent pointer field significant ACK - Acknowledgment field significant PSH - Push function RST- Reset the connection SYN - Synchronize sequence numbers FIN - No more data from sender

Wireless Hacking Tools

Wireless hacking tools are used to intentionally hack into a wireless network to detect security vulnerabilities. Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.

1. Which malware executes arbitrary code and installs copies of itself in the memory of the infected computer? The main purpose of this malware is to automatically replicate from system to system across the network.

Worm

8. To which category of security attacks does man-in-the-middle belong?

access

2. What causes a buffer overflow?

attempting to write more data to a memory location than that location can hold

3. Which objective of secure communications is achieved by encrypting data?

confidentiality

5. What three items are components of the CIA triad? (Choose three.)

confidentiality integrity availability

7. What specialized network device is responsible for enforcing access control policies between networks?

firewall

11. Which two types of hackers are typically classified as grey hat hackers? (Choose two.)

hacktivists vulnerability brokers

10. Which type of DNS attack involves the cybercriminal compromising a parent domain and creating multiple subdomains to be used during the attacks?

shadowing

13. A cleaner attempts to enter a computer lab but is denied entry by the receptionist because there is no scheduled cleaning for that day. What type of attack was just prevented?

social engineering

9. What is the role of an IPS?

to detect patterns of malicious traffic by the use of signature files

4. What type of malware has the primary objective of spreading across the network?

worm

Denial of Service Attack

A DoS attack prevents normal use of a computer or network by valid users. A DoS attack can flood a computer or the entire network with traffic until a shutdown occurs because of the overload. A DoS attack can also block traffic, which results in a loss of access to network resources by authorized users.

Sniffer Attack

A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet.

3.1.2 Vectors of Network Attacks

An attack vector is a path by which a threat actor can gain access to a server, host, or network. Attack vectors originate from inside or outside the corporate network, as shown in the figure. For example, threat actors may target a network through the internet, to disrupt network operations and create a denial of service (DoS) attack. External and Internal Threats InternetExternal ThreatCompromised HostInternal Threat Note: A DoS attack occurs when a network device or application is incapacitated and no longer capable of supporting requests from legitimate users. An internal user, such as an employee, can accidentally or intentionally: Steal and copy confidential data to removable media, email, messaging software, and other media. Compromise internal servers or network infrastructure devices. Disconnect a critical network connection and cause a network outage. Connect an infected USB drive into a corporate computer system. Internal threats have the potential to cause greater damage than external threats because internal users have direct access to the building and its infrastructure devices. Employees may also have knowledge of the corporate network, its resources, and its confidential data. Network security professionals must implement tools and apply techniques for mitigating both external and internal threats.

Exploit

An exploit is a mechanism that takes advantage of a vulnerability.

Threat Actor Tools 3.3.1 Video - Threat Actor Tools

As you learned in the previous topic, there are different types of hackers with different motivations for what they do. In this topic, you will learn about some of the tools these individuals use. Click Play in the figure to view a video about threat actor tools.

2. Which type of hacker is described in the scenario: From my laptop, I transferred $10 million to my bank account using victim account numbers and PINs after viewing recordings of victims entering the numbers.

Black Hat

4. Which type of hacker is described in the scenario: I used malware to compromise several corporate systems to steal credit card information. I then sold that information to the highest bidder.

Black Hat

3.3.5 Check Your Understanding - Threat Actor Tools

Check your understanding of threat actor tools by choosing the BEST answer to the following questions.

3.2.6 Check Your Understanding - Threat Actors

Check your understanding of threat actors by choosing the BEST type of threat actor for each description.

Hard Copy

Confidential data should be shredded when no longer required.

Current State of Cybersecurity 3.1.1 Current State of Affairs

Cyber criminals now have the expertise and tools necessary to take down critical infrastructure and systems. Their tools and techniques continue to evolve. Cyber criminals are taking malware to unprecedented levels of sophistication and impact. They are becoming more adept at using stealth and evasion techniques to hide their activity. Lastly, cyber criminals are exploiting undefended gaps in security. Network security breaches can disrupt e-commerce, cause the loss of business data, threaten people's privacy, and compromise the integrity of information. These breaches can result in lost revenue for corporations, theft of intellectual property, lawsuits, and can even threaten public safety. Maintaining a secure network ensures the safety of network users and protects commercial interests. Organizations need individuals who can recognize the speed and scale at which adversaries are amassing and refining their cyber weaponry. All users should be aware of security terms in the table. The terms start on the sixth card and end on the eleventh card. Assets must be identified and protected. Vulnerabilities must be addressed before they become a threat and are exploited. Mitigation techniques are required before, during, and after an attack.

3.1.3 Data Loss

Data is likely to be an organization's most valuable asset. Organizational data can include research and development data, sales data, financial data, human resource and legal data, employee data, contractor data, and customer data. Data loss or data exfiltration is when data is intentionally or unintentionally lost, stolen, or leaked to the outside world. The data loss can result in: Brand damage and loss of reputation Loss of competitive advantage Loss of customers Loss of revenue Litigation/legal action resulting in fines and civil penalties Significant cost and effort to notify affected parties and recover from the breach Common data loss vectors are displayed in the table. Network security professionals must protect the organization's data. Various Data Loss Prevention (DLP) controls must be implemented which combine strategic, operational and tactical measures.

Penetration Testing Tool

Description

Security Terms

Description

1. Which penetration testing tool uses algorithm schemes to encode the data, which then prevents access to the data?

Encryption Tools

Encryption Tools

Encryption tools use algorithm schemes to encode the data to prevent unauthorized access to the encrypted data. Examples of these tools include VeraCrypt, CipherShed, OpenSSH, OpenSSL, Tor, OpenVPN, and Stunnel.

3.3.3 Evolution of Security Tools

Ethical hacking involves many different types of tools used to test the network and keep its data secure. To validate the security of a network and its systems, many network penetration testing tools have been developed. It is unfortunate that many of these tools can be used by black hat hackers for exploitation. Black hat hackers have also created many hacking tools. These tools are created explicitly for nefarious reasons. White hat hackers must also know how to use these tools when performing network penetration tests. The table highlights categories of common penetration testing tools. Notice how some tools are used by white hats and black hats. Keep in mind that the list is not exhaustive as new tools are always being developed.

4. Which security term is used to describe a mechanism that takes advantage of a vulnerability?

Exploit

1. Which type of hacker is described in the scenario: After hacking into ATM machines remotely using a laptop, I worked with ATM manufacturers to resolve the security vulnerabilities that I discovered.

Gray Hat

3.2.2 Evolution of Hackers

Hacking started in the 1960s with phone freaking, or phreaking, which refers to using audio frequencies to manipulate phone systems. At that time, telephone switches used various tones to indicate different functions. Early hackers realized that by mimicking a tone using a whistle, they could exploit the phone switches to make free long-distance calls. In the mid-1980s, computer dial-up modems were used to connect computers to networks. Hackers wrote "war dialing" programs which dialed each telephone number in a given area in search of computers. When a computer was found, password-cracking programs were used to gain access. The table displays modern hacking terms and a brief description of each.

Password-Based Attacks

If threat actors discover a valid user account, the threat actors have the same rights as the real user. Threat actors could use that valid account to obtain lists of other users, network information, change server and network configurations, and modify, reroute, or delete data.

Data Modification Attack

If threat actors have captured enterprise traffic, they can alter the data in the packet without the knowledge of the sender or receiver.

Threat Actors 3.2.1 The Hacker

In the previous topic, you gained a high-level look at the current landscape of cybersecurity, including the types of threats and vulnerabilities that plague all network administrators and architects. In this topic, you will learn more details about particular types of threat actors. Hacker is a common term used to describe a threat actor. Originally the term referred to someone who was a skilled computer expert such as a programmer and a hack was a clever solution. The term later evolved into what we know of it today. As shown in the table, the terms white hat hacker, black hat hacker, and gray hat hacker are often used to describe a type of hacker.

3.0.3 Ethical Hacking Statement

In this module, learners may be exposed to tools and techniques used by cybercriminals to demonstrate various types of attacks. Unauthorized access to data, computer, and network systems is a crime in many jurisdictions and often is accompanied by severe consequences, regardless of the perpetrator's motivations. It is the learner's responsibility, as the user of this material, to be cognizant of and compliant with computer use laws.

3.2.3 Cyber Criminals

It is estimated that cyber criminals steal billions of dollars from consumers and businesses. Cyber criminals operate in an underground economy where they buy, sell, and trade attack toolkits, zero day exploit code, botnet services, banking Trojans, keyloggers, and much more. They also buy and sell the private information and intellectual property they steal. Cyber criminals target small businesses and consumers, as well as large enterprises and entire industries.

5. Which security term is used to describe the counter-measure for a potential threat or risk?

Mitigation

Mitigation

Mitigation is the counter-measure that reduces the likelihood or severity of a potential threat or risk. Network security involves multiple mitigation techniques.

3.0.2 What will I learn in this module?

Module Title: Network Security Concepts Module Objective: Explain how vulnerabilities, threats, and exploits can be mitigated to enhance network security. Topic Current State of Cybersecurity Topic Title Describe the current state of cybersecurity and vectors of data loss. Topic Threat Actors Topic Title Describe tools used by threat actors to exploit networks. Topic Malware Topic Title Describe malware types. Topic Common Network Attacks Topic Title Describe common network attacks. Topic IP Vulnerabilities and Threats Topic Title Explain how IP vulnerabilities are exploited by threat actors. Topic IP Services Topic Title Explain how IP services are exploited by threat actors. Topic Network Security Best Practices Topic Title Describe best practices for protecting a network. Topic Cryptography Topic Title Describe common cryptographic processes used to protect data in transit.

Network Scanning and Hacking Tools

Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP ports. Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.

Malware 3.4.1 Overview of Malware

Now that you know about the tools that hacker use, this topic introduces you to different types of malware that hackers use to gain access to end devices. End devices are particularly prone to malware attacks. It is important to know about malware because threat actors rely on users to install malware to help exploit the security gaps. Click Play to view an animation of the three most common types of malware.

Removable Media

One risk is that an employee could perform an unauthorized transfer of data to a USB drive. Another risk is that a USB drive containing valuable corporate data could be lost.

3. Which penetration testing tool is used to probe and test a firewall's robustness?

Packet Crafting Tools

Password Crackers

Password cracking tools are often referred to as password recovery tools and can be used to crack or recover a password. This is accomplished either by removing the original password, after bypassing the data encryption, or by outright discovery of the password. Password crackers repeatedly make guesses in order to crack the password. Examples of password cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.

Improper Access Control

Passwords or weak passwords which have been compromised can provide a threat actor with easy access to corporate data.

6. Which security term is used to describe the likelihood of a threat to exploit the vulnerability of an asset, with the aim of negatively affecting an organization?

Risk

Risk

Risk is the likelihood of a threat to exploit the vulnerability of an asset, with the aim of negatively affecting an organization. Risk is measured using the probability of the occurrence of an event and its consequences.

Cloud Storage Devices

Sensitive data can be lost if access to the cloud is compromised due to weak security settings.

3.2.5 State-Sponsored Hackers

State-sponsored hackers create advanced, customized attack code, often using previously undiscovered software vulnerabilities called zero-day vulnerabilities. An example of a state-sponsored attack involves the Stuxnet malware that was created to damage Iran's nuclear enrichment capabilities.

3.4.2 Viruses and Trojan Horses

The first and most common type of computer malware is a virus. Viruses require human action to propagate and infect other computers. For example, a virus can infect a computer when a victim opens an email attachment, opens a file on a USB drive, or downloads a file. The virus hides by attaching itself to computer code, software, or documents on the computer. When opened, the virus executes and infects the computer. Viruses can: Alter, corrupt, delete files, or erase entire drives. Cause computer booting issues, and corrupt applications. Capture and send sensitive information to threat actors. Access and use email accounts to spread. Lay dormant until summoned by the threat actor. Modern viruses are developed for specific intent such as those listed in the table.

Virus

The first and most common type of computer malware is a virus. Viruses require human action to propagate and infect other computers. For example, a virus can infect a computer when a victim opens an email attachment, opens a file on a USB drive, or downloads a file. The virus hides by attaching itself to computer code, software, or documents on the computer. When opened, the virus executes and infects the computer. Viruses can: Alter, corrupt, delete files, or erase entire drives. Cause computer booting issues, and corrupt applications. Capture and send sensitive information to threat actors. Access and use email accounts to spread. Lay dormant until summoned by the threat actor.

Cyber criminals

These are black hat hackers who are either self-employed or working for large cybercrime organizations.

State-Sponsored

These are either white hat or black hat hackers who steal government secrets, gather intelligence, and sabotage networks. Their targets are foreign governments, terrorist groups, and corporations. Most countries in the world participate to some degree in state-sponsored hacking.

White Hat Hackers

These are ethical hackers who use their programming skills for good, ethical, and legal purposes. White hat hackers may perform network penetration tests in an attempt to compromise networks and systems by using their knowledge of computer security systems to discover network vulnerabilities. Security vulnerabilities are reported to developers for them to fix before the vulnerabilities can be exploited.

Hacktivists

These are gray hat hackers who publicly protest organizations or governments by posting articles, videos, leaking sensitive information, and performing network attacks.

Gray Hat Hackers

These are individuals who commit crimes and do arguably unethical things, but not for personal gain or to cause damage. Gray hat hackers may disclose a vulnerability to the affected organization after having compromised their network.

Hacking Operating Systems

These are specially designed operating systems preloaded with tools optimized for hacking. Examples of specially designed hacking operating systems include Kali Linux, Knoppix, BackBox Linux.

Script Kiddies

These are teenagers or inexperienced hackers running existing scripts, tools, and exploits, to cause harm, but typically not for profit.

Black Hat Hackers

These are unethical criminals who compromise computer and network security for personal gain, or for malicious reasons, such as attacking networks.

Vulnerability Broker

These are usually gray hat hackers who attempt to discover exploits and report them to vendors, sometimes for prizes or rewards.

Debuggers

These tools are used by black hats to reverse engineer binary files when writing exploits. They are also used by white hats when analyzing malware. Debugging tools include GDB, WinDbg, IDA Pro, and Immunity Debugger.

Forensic Tools

These tools are used by white hat hackers to sniff out any trace of evidence existing in a computer. Example of tools include Sleuth Kit, Helix, Maltego, and Encase.

Packet Sniffers

These tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs. Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.

Packet Crafting Tools

These tools are used to probe and test a firewall's robustness using specially crafted forged packets. Examples include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.

Vulnerability Exploitation Tools

These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.

Vulnerability Scanners

These tools scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of tools include Nipper, Secunia PSI, Core Impact, Nessus v6, SAINT, and Open VAS.

Man-in-the-Middle Attack

This attack occurs when threat actors have positioned themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently.

Rootkit Detectors

This is a directory and file integrity checker used by white hats to detect installed root kits. Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.

Eavesdropping Attack

This is when a threat actor captures and "listens" to network traffic. This attack is also referred to as sniffing or snooping.

3. Which security term is used to describe a potential danger to a company's assets, data, or network functionality?

Threat

3.3.4 Attack Types

Threat actors can use the previously mentioned attack tools, or a combination of tools, to create attacks. The table displays common types of attacks. However, the list of attacks is not exhaustive as new attack vulnerabilities are constantly being discovered.

3.3.2 Introduction to Attack Tools

To exploit a vulnerability, a threat actor must have a technique or tool. Over the years, attack tools have become more sophisticated, and highly automated. These new tools require less technical knowledge to implement. In the figure, drag the white circle across the timeline to view the relationship between the sophistication of attack tools versus the technical knowledge required to use them. Sophistication of Attack Tools vs. Technical Knowledge

Destructive Trojan Horse

Trojan horse corrupts or deletes files.

FTP Trojan Horse

Trojan horse enables unauthorized file transfer services on end devices.

Remote-access Trojan Horse

Trojan horse enables unauthorized remote access.

Data-sending Trojan Horse

Trojan horse provides the threat actor with sensitive data, such as passwords.

Denial of Service (DoS) Trojan Horse

Trojan horse slows or halts network activity.

Security software disabler Trojan Horse

Trojan horse stops antivirus programs or firewalls from functioning.

Proxy Trojan Horse

Trojan horse will use the victim's computer as the source device to launch attacks and perform other illegal activities.

3.2.4 Hacktivists

Two examples of hacktivist groups are Anonymous and the Syrian Electronic Army. Although most hacktivist groups are not well organized, they can cause significant problems for governments and businesses. Hacktivists tend to rely on fairly basic, freely available tools.

5. Which penetration testing tool identifies whether a remote host is susceptible to a security attack?

Vulnerability Exploitation Tools

Introduction 3.0.1 Why should I take this module?

Welcome to Network Security Concepts! Perhaps you've heard one of the hundreds of news stories about a data security breach within a large corporation or even a government. Was your credit card number exposed by a breach? Your private health information? Would you like to know how to prevent these data breaches? The field of network security is growing every day. This module provides a detailed landscape of the types of cybercrime and the many ways we have to fight back against cybercriminals. Let's get started!

3. Which type of hacker is described in the scenario: My job is to identify weaknesses in my company's network.

White Hat

5. Which type of hacker is described in the scenario: During my research for security exploits, I stumbled across a security vulnerability on a corporate network that I am authorized to access.

White Hat

6. Which type of hacker is described in the scenario It is my job to work with technology companies to fix a flaw with DNS.

White Hat