Chapter 19: Protecting Your Network

Ace your homework & exams now with Quizwiz!

Agent

a process or program running within the computer that scans the computer to create an inventory of configuration information, resources, and assets. When the workstation attempts to connect to the network through a posture assessment-enabled device, it is the agent that answers the security query. comes in two flavors: persistent agent and non-persistent agent

Spyware

a function of any program that sends information about your system or your actions over the Internet

Trojan Horse

a piece of malware that looks or pretends to do one thing while, at the same time, doing something evil does not replicate

Amplification (Dos)

a tactic that focuses on sending small requests that trigger large responses reflected at your target

Posture Assessment

a way to expose or catalog all the threats and risks facing an organization checks things like type and version of anti-malware, level of QoS, and type/version of operating system.

Defense in Depth

acknowledgment that the network is never completely secure should design your security posture with the assumption that every single defense can be beaten.

Non-Persistent Agent

agent that doesn't stay in a client's station memory It is executed prior to login and may stay resident during the login session but is removed from client RAM when the login or session is complete.

What is a cross-platform method to responding to posture assessments?

an 802.1X supplicant in the form of either an agent or a client installed in on a device

Services

an OS's important programs that run in the background

Exploit

an actual procedure for taking advantage of a vulnerability

Zero-Day Attacks (Network Threat)

an attack that leverages a previously unknown vulnerability that had zero days to fix or mitigate.

DNS Cache Poisoning

an attacker poisoning a DNS server's cache to point clients to an evil Web server instead of the correct one.

Rogue Devices (Network Threat)

an unauthorized node on a network

Virus Shields

anti-malware program that passively monitor a computer's activity, checking for viruses only when certain events occur, such as a program executing or a file being downloaded.

Ransomware

any form of malware that makes you pay to get malware to go away

Macro

any type of virus that exploits application macros to replicate and activate is also programming within an application that enables you to control aspects of the application

Protocol Abuse (Network Threat)

anytime you do things with a protocol that it wasn't meant to do and that abuse ends up creating a threat

Phishing Attack (Social Engineering)

attacker poses as some sort of trusted site and solicits you to update your private/personal information, such as a credit card number

ARP Cache Poisoning (Network Threat)

attacks targeting ARP caches on hosts and MAC address tables on switches

Password Attacks (Network Threat)

bad actor uses various methods to discover a password, often comparing various potential passwords against known hashes of passwords

Logic Bomb

code written to execute when certain conditions are met, usually with malicious intent

On-Path Attack/Man-in-the-Middle Attack (Network Threat)

communication tapped into between two systems, covertly intercepting traffic, reading or changing the data and then sending the data on perpetrated using ARP poisoning

System Life Cycle Policies

cover everything from how to plan and provision new IT systems to asset disposal performing a factory reset/wipe configuration is sufficient for asset disposal

DHCP Snooping

creates a database (DHCP snooping binding database) of MAC addresses for all of a network's known DHCP servers and clients

Crypto-Ransomware

crypto-malware using a ransom

Implicit Deny (Firewall)

denies a permission until the user or group is allowed to perform the permission

Malware (Network Threat)

describes any program or code that's designed to do something on a system or network that you don't want to have happen

Firewall

devices or software that protect an internal network from unauthorized access by acting as a filter can filter traffic coming in and going out of a network

VLAN Hopping (Physical/Local Access Attack)

enables an attacker to access a VLAN they'd otherwise have no access to works by using a system connected to the VLAN and feeding the switch VLAN commands, convincing to change your port to a trunk port

Router Advertisement Guard (RA-Guard)

enables the switch to block router advertisements and router redirect messages that are not sent from trusted ports or don't match a policy

Availability (CIA)

ensures that systems and data are available whenever they needed ensured in various ways, including system redundancy, data backups, business continuity, and other means

Traffic Flood

excessive or malformed packets—to conduct DoS attacks on networks and hosts, targeting vulnerable switches through their switch ports

What can switches use to protect themselves against traffic floods?

flood guards: detects and blocks excessive traffic

Confidentiality Integrity and Availability (CIA)

foundations of the IT security trade put into practice through various security mechanisms and controls ensuring at least one goal of the CIA triad

Rogue Anti-Malware

free anti-malware applications are actually malware

Worm

functions similarly to a virus, though it replicates exclusively through networks

Physical DoS Attack

going to where the servers are located and shutting them down or disconnecting their Internet connections

Brute Force (Password Attack)

guessing every permutation of some part of data any attempt to guess the contents of some kind of data field that isn't obvious (or is hidden)

Session Hijacking (Network Threat)

intercepting a valid computer session to get authentication information

R U Dead Yet (RUDY) Attack (DoS)

mainly used on Web servers where the attacker fills out a Web form with a ton of content and opens a connection to submit it the attacker takes their sweet time trickling a few bytes at a time to the server, tying up a connection the server needs to serve legitimate traffic

DHCP Starvation Attack (DoS)

spoofing packets to the DHCP server, tricking it into giving away all of its leases a technique used to encourage clients to switch to a rogue DHCP server that the attacker controls.

TEMPEST

standards created by the U.S. NSA that defines how to shield systems and manifests in a number of different products (coverings for individual systems, wall coverings, and special window coatings)

Legacy Systems

systems that are no longer supported by the OS maker and are no longer patched these systems should be considered to be updated if possible and if not, isolate it on a locked-down network segment w/ robust firewall rules for the support it needs

DoS attacks are separated in what two categories?

tactics that focus on wasting resources with an overwhelming volume of requests tactics that waste resources in much more targeted ways

Denial of Service (Network Threat)

targeted attack on a server that provides some form of service on the Internet with the goal of making that service unable to process any incoming requests.

Botnet

A logical computer network of zombies under the control of an attacker.

How does DHCP snooping work?

A system connected to an untrusted port starts sending DHCP server messages the DHCP snoop-capable switch will block that system, stopping all unauthorized DHCP traffic and sending some form of alarm to the appropriate person.

Network Threat

Any form of potential attack against your network. Common threats include, but not limited to: Spoofing, Packet/Protocol Abuse, Zero-Day Attacks, Rogue Devices, ARP Cache Poisoning, Denial of Service, On-Path Attack, Session Hijacking, Password Attacks, Physical/Local Access, Malware, and Social Engineering

Network Admission Control (NAC)

Ciscos version of Network Access Control

What protocols send credentials in cleartext that should not be used unless needed?

FTP, Telnet, POP3 also pops up in poor configuration of applications that would otherwise be well protected (turning on the "no security" setting)

How does ARP cache poisoning work?

If a bad actor can get inside the network, he can send false ARP frames that each computer reads, placing evil data into their ARP caches the bad actor pretends to be a router, switch, server, etc. bad actor can now use man-in-middle attacks

Distributed Denial of Service (DDoS) Attack

Many computers collaborate to shut down a target, usually by keeping it busy or overwhelming it with incoming requests.

Zombie (Bot)

Program activated on an infected machine that is activated to launch attacks on other machines under the control of an operator

Unintentional DoS Attack

Reddit Hug of Death / Slashdotting

What is a classic on-path/man-in-the-middle attack?

SSID spoofing: letting people connect to the rogue WAP controlled by the attacker

How are on-path/man-in-the-middle attacks mitigated these days?

TLS and certificate pinning

What protocols are insecure and do not provide encrypted channels that should not be used?

Telnet, HTTP, VNC, and basically any insecure protocol in the clear

RF Emanation

The transmission, intended or unintended, of radio frequencies. Transmissions may come from components that are intended to transmit RF (Wi-Fi card) or something less expected, such as a motherboard or keyboard These emanations may be detected and intercepted, posing a potential threat to security.

Implementing Dynamic ARP Inspection (DAI) and DHCP snooping enhances switch port protection.

True

Solution to port scanning and banner grabbing is to not run unnecessary services (resulting in an open port) on a host and to make sure that running processes have current security patches installed.

True

Using a firewall or ACL to block/filter ports can lead to a common network service issue such as blocked services, ports, or addresses.

True

Security and Maintenance

Windows 10 control panel tool that places an icon and pop up notification in the notification area whenever Windows detects a problem.

Integrity (CIA)

maintaining data and systems in a pristine, unaltered state when they are stored, transmitted, processed, and received, unless the alteration is intended due to normal processing maintained by the use of a variety of checks and other mechanisms, including hashing, data checksums, comparison with known or computed data values, and cryptographic means.

Replication (Virus)

makes copies of itself, often as code stored in boot sectors or as extra code added to the end of executable programs

Rootkit

malware taking advantage of very low-level system functions to both gain privileged access and hide from most anti-malware tools in operating systems, hypervisors, and even firmware

Reddit Hug of Death / Slashdotting

massive influx of traffic on a small or lesser-known Web site when it is suddenly made popular by a reference from the media

ARP Spoofing

message that links the attacker's MAC address to a legitimate network computer, client, or server

Separation of Duties

method in which a single user can't perform a task without direct involvement/observation by another party.

What two reasons make it important to not run any unnecessary services?

most OSs use services to listen on open TCP/UDP ports (closing unnecessary services closes TCP/UDP ports) services can be used as a tool for the use and propagation of malware

What is a method to avoid RF emanation?

place a filter between your systems and the emanated source.

What ports are easily susceptible to DoS attacks?

ports 20 and below

Spoofing (Network Threat)

pretending to be someone or something you are not by placing false information into your packets some flavors of spoofing are MAC spoofing, IP spoofing, ARP spoofing, e-mail address, web address, and username

What might be a technique a malicious user might use?

probe hosts to identify any open ports to learn details about running services known as banner grabbing

Shoulder Surfing (Social Engineering)

process of surreptitiously monitoring people when they are accessing any kind of system, trying to ascertain password, PIN codes, or personal information

Virus

program that has two jobs: to replicate and to activate not a stand-alone program only replicates to other applications on a drive or to other drives, such as flash drives or optical media

Scapy

program that lets you generate malformed packets and send them to anyone

Adware

program that monitors the types of frequently viewed Web sites and uses that information to generate targeted advertisements, usually pop-up windows

Vulnerability

refers to an IT-specific weakness, like a problem with hardware, software, or configuration. take steps to minimize risk which in effect minimizes vulnerability

Zero Trust

security philosophy that trust is never granted implicitly but must be continually evaluated means there is no "trusted" network where everyone connected is supposed to be connected, every device is malware free, and every resource is accessible

What are common symptoms of an malware-infected client?

sluggishness, random crashes, and an increase in network traffic

Low-and-Slow Attack (DoS)

small number of cleverly crafted packets sent to the the target keeping it busy for as long as possible

Persistent Agent

small scanning program that, once installed on the computer, stays installed and runs every time the computer boots up perform a thorough inventory of each security-oriented element in the computer

Deauthentication (Deauth) Attack (DoS)

targets 802.11 Wi-Fi networks specifically by sending out a frame that kicks a wireless client off its current WAP connection rogue WAP nearby often presents automatic alternative option for connection rogue WAP connects the client to the Internet and then proceeds to collect data from that client. attack targets a specific Wi-Fi frame called a deauthentication frame, normally used by a WAP to kick an unauthorized WAP off its network

Dynamic ARP Insepection (DAI)

technology in switches relies on ARP information that DHCP snooping collects—it's essentially a list of known-good IP and MAC addresses all traffic (ARP requests) go through the DAI-capable switch

Confidentiality (CIA)

the goal of keeping unauthorized people from accessing, seeing, reading, or interacting with systems and data achieved through various means, including the use of permissions to data, encryption, and so on.

Social Engineering (Network Threat)

the process of using or manipulating people inside the networking environment to gain access to that network from the outside classic form is the telephone scam

Internal Threats

threats posed by members of your organization

External Threats

threats posed by people and systems outside of our organizations

Physical/Local Access (Network Threat)

threats that lurk right in your LAN dangerous because these threats don't need to worry about getting past your network edge defenses such as firewalls or WAPs

Patch and Firmware Management

to disable unnecessary systems, to patch and upgrade software, and to upgrade firmware

Packet Abuse/Malformed Packets (Network Threat)

unwanted information injected into packets in an attempt to break another system

Posture Assessment Query

used in NAC to to verify that a node meets certain criteria before it is allowed to connect to a network.

Command and Control (C2) Protocols

used to automate server controls over botnets, thus limiting the need for people once the initial zombification happens

Malicious User

users with intent attempt to access, steal, or damage resources may be represented as an external or internal threat

Crypto-Malware

uses some form of encryption to lock a user out of a system usually encrypting the boot drive in most cases the malware then forces the user to pay money to get the system decrypted (crypto-ransomware)

Dictionary Attack (Password Attack)

using a list of known words and partial words along with a program as the starting point for cracking passwords

Activation (Virus)

when a virus does something like erase the boot sector of a drive

Reflection (DoS)

when an attacker sends requests to normal servers with the target's IP address spoofed as the source The normal servers respond to the spoofed address, overwhelming it with reflected traffic without identifying the true initiator often combined with amplification

Attack

when someone tries to compromise your organization or its systems also gets thrown around a lot to categorize different tactics, threats, and exploits

Explicit Deny (Firewall)

when the administrator has selected the Deny option for a permission for a user or group. This Deny takes precedence over all allowed settings.


Related study sets

Macroeconomics - Chapter 4 Questions

View Set

Ethical dilemmas vs Moral distress

View Set

1.B Ch 1. Business Considerations

View Set

Accident, Life, and Health Insurance

View Set

23.6-7 External and Internal Respiration

View Set