Network+ Guide to Networks Seventh Edition Chapter 8 Key Terms & Review Questions

Distributed reflector DoS (DRDoS) attack

A DoS attack bounced off of uninfected computers, called reflectors, before being directed at the target. This is achieved by spoofing the source IP address in the attack to make it look like all of the requests for response are being sent by the target, then all of the reflectors send their responses to the target, thereby flooding the target with traffic.

Friendly attack

A DoS situation that is created unintentionally and without malicious intent, such as when a Web site is flooded with an unexpectedly high amount of shopping traffic during a flash sale.

Honeypot

A decoy system isolated from legitimate systems and designed to be vulnerable to security exploits for the purposes of learning more about hacking techniques or nabbing a hacker in the act.

Lure

A decoy system, that, when attacked, can provide unique information about hacking behavior.

IPS (intrusion prevention system)

A dedicated device or software running on a workstation, server, or switch, that stands between the attacker and the network or host, and can prevent traffic from reaching the protected network or host.

IDS (Intrusion detection system)

A dedicated device or software running on a workstation, server, or switch, which might be managed from another computer on the network, and is used to monitor network traffic and create alerts when suspicious activity happens within the network.

Consent to monitoring

A document designed to make employees aware that their use of company equipment and accounts can be monitored and reviewed as needed for security purposes.

Application aware

A feature that enables a firewall to monitor and limit the traffic of specific applications, including the application's vendor and digital software.

Network-based firewall

A firewall configured and positioned to protect an entire network.

ACL (access control list)

A list of statements used by a router to permit or deny the forwarding of traffic on a network based on one or more criteria.

Honeynet

A network of honeypots.

Quarantine network

A network segment that is situated separately from sensitive network resources and might limit the amount of time a device can remain connected to the network. A quarantine network provides a relatively safe holding place for devices that do not meet compliance requirements or that are indicated to have been compromised.

Nessus

A penetration testing tool from Tenable Security that performs sophisticated vulnerability scans to discover information about hosts, ports, services, and hardware.

Metasploit

A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits.

Malware

A program or piece of code designed to intrude upon or harm a system or its resources.

Network access control (NAC)

A technology solution that balances the need for network access with the demands of network security by employing a set of rules, called network policies, to determine the level and type of access granted to a device when it joins a network. NAC authenticates and authorizes devices by verifying that the device complies with predefined security benchmarks, such as whether the device has certain system settings, or whether it has specific applications installed.

NIDS (network-based intrusion detection system)

A type of intrusion detection that protects an entire network and is situated at the edge of the network or in a network's protective perimeter, known as the DMZ (demilitarized zone). here, it can detect many types of suspicious traffic patterns.

HIDS (host-based intrusion detection system)

A type of intrusion detection that runs on a single computer, such as a client or server, to alert about attacks against that one host.

NIPS (network-based intrusion prevention system)

A type of intrusion prevention that protects an entire network and is situated at the edge of the network or in a network's DMZ.

Persistent agent

Agent software that is permanently installed on a device and that can provide robust security measures such as remote wipe, virus scanning, and mass messaging.

ARP cache poisoning

An attack in which attackers use fake ARP replies to alter ARP tables in a network.

Inbound traffic

Data received by a device on its way into a network.

Exploit

In context of network, security, the act of taking advantage of a vulnerability.

To assign rights that meet the needs of those groups.

Regarding managing security levels, why do network administrators create domain groups?

Hacking

The act of finding a creative way around a problem, increasing functionality of a device or program, or otherwise manipulating resources beyond their original intent.

Hacker

Traditionally, a person who masters the inner workings of computer hardware and software in an effort to better understand them. More generally, an individual who gains unauthorized access to systems or networks with or without malicious intent.

Data breach

Unauthorized access or use of sensitive data.

Content filtering and improved performance, reverse proxy.

What are the two primary features that give proxy servers an advantage over NAT?

Not being configured correctly.

What causes most firewall failures?

ARP performs no authentication, and so it is highly vulnerable to attacks.

What characteristic of ARP makes it particularly vulnerable to being used in a DoS attack?

Proxy server

(1) A network host that runs on a proxy service. Proxy servers are also called gateways. (2) On a SIP network, a server that accepts requests for location information from user agents, then queries the nearest registrar server on behalf of those user agents. if the recipient user agent is in the SIP proxy server's domain, then that server will also act as a go-between for calls established and terminated between the requesting user agent and the recipient user agent.

Zombie

A computer used without the owner's knowledge in a coordinated attack.

RF (Radio Frequency) emanation

A condition created by the leaking of radio or electrical signals from computer equipment. These signals can carry a surprising amount of information, which can be intercepted by a third party and used for their own purposes.

Security policy (configuration)

A configuration programmed into an operating system or firewall that defines the conditions that must be met in order for a device or transmission to be given access to a network or computing resourse.

Security policy (document)

A document or plan that identifies an organization's security goals, risks, levels of authority, designating security coordinator and team members, responsibilities for each team member, and responisbilties for each impoyee. In addition, it specifies how to address security breaches.

Stateful firewall

A firewall capable of a stateful inspection, in which it examines an incoming packet to determine whether it belongs to a currently active connection and is, therefore, a legitimate packet.

Next Generation Firewall (NGFW)

A firewall innovation that includes advanced, built-in features, including Application Control, IDS and/or IPS functionality, user awareness, and context awareness.

Virtual wire mode

A firewall installation in which the firewall is transparent to surrounding nodes, as if it were just part of the network transmission media.

Content-filtering firewall

A firewall that can block designated types of traffic from entering a protected network based on application data contained within packets.

Stateless firewall

A firewall that manages each incoming packet as a stand-alone entity without regard to currently active connections. Stateless firewalls are faster than stateful firewalls, but are not as sophisticated.

Host-based firewall

A firewall that only protects the computer on which it's installed.

Botnet

A group of computers requisitioned in coordinated DDoS attacks without the owners' knowledge or consent.

Domain local group

A group of workstations that is centrally managed via Active Directory for the entire network.

Reverse proxy

A host that provides services to Internet clients from servers on its own network. The reverse proxy provides identity protection for the server rather than the client. Reverse proxies are particularly useful when multiple Web servers are access through the same public IP address.

Slave zombie

A lower-layer host in a botnet.

Logic Bomb

A malicious program designed to start when certain conditions are met.

Hardening technique

A measure taken to help mitigate security risks to a network.

Buffer overflow

A memory problem in which a buffer's size is forced beyond its allotted space, causing the operating system to save data in adjacent memory areas. Older operating systems are vulnerable to buffer overflows.

Integrity checking

A method of comparing the current characteristics of files and disks against an archived version of these characteristics to discover any changed. The most common example of integrity checking involves using a checksum, though this tactic might not prove effective against malware with stealth capabilities.

Port mirroring

A monitoring technique in which one port on a switch is configured to send a copy of all its traffic to a second port.

Default password was never changed.

A neighbor hacks into your secured wireless network on a regular basis, but you didn't give him the password. What loophole was most likely left open?

Network segmentation

A network arrangement in which some portions of the network have been separated from the rest of the network in order to protect some resources while granting access to other resources.

Acceptable Use Policy (AUP)

A portion of the security policy that explains to users what they can and cannot do, and penalties for violations. It might also describe how these measures protect the network's security.

Phishing

A practice in which a person attempts to glean access or authentication information by posing as someone who needs that information.

Penetration testing

A process of scanning a network for vulnerabilities and investigating potential security flaws.

Trojan horse

A program that disguises itself as something useful, but actually harms your system.

Virus

A program that replicates itself to infect more computers, either through network connection when it piggybacks on other files or through exchange of external storage devices, such as USB drives, passed among users. Viruses might damage files or systems or simply annoy users by flashing messages or pictures on the screen or by causing the keyboard to beep.

Worm

A program that runs independently and travels between computers and across networks. Although worms do not alter other programs as viruses do, they can carry viruses.

IRC (internet relay chat)

A protocol that enables users running special IRC client software to communicate instantly with other participants in a chat room on the internet.

Packet-filtering firewall

A router (or a computer installed with software that enables it to act as a router) that examines the header of every packet of data that it receives to determine whether that type of packet is authorized to continue to its destination.

Network policy

A rule or set of rules that determines the level and type of access granted to a device when it joins a network.

Dynamic ARP inspection (DAI)

A security feature on a switch that monitors ARP messages in order to detect faked ARP messages.

DHCP snooping

A security feature on switches whereby DHCP messages on the network are checked and filtered.

Unified Threat Management (UTM)

A security strategy that combines multiple layers of security appliances and technologies into a single safety net.

Proxy service

A software application on a network host that acts as an intermediary between the extern and internal networks, screening all incoming and outgoing traffic and providing one address to the outside world, instead of revealing the addresses of internal LAN devices.

Agent

A software routine that collects data about a managed device's operation or compliance with security benchmarks, and provides this information to a network management application.

Backdoor

A software security flaw that can allow anauthorized users to gain access to a system. Legacy systems are particularly notorious for leaving these kinds of gaps in a network's overall security net.

TEMPEST

A specification created by the NSA to define protection standards against RF emanation, which when implemented are called EmSec (emission security).

Smurf attack

A threat to networked hosts in which the host is flooded with broadcast ping messages. A smurf attack is a type of denial-of-service attack.

HIPS (host-based intrusion prevention system)

A type of intrusion prevention that runs on a single computer, such as a client or server, to intercept and help prevent attacks against that one host.

Heuristic scanning

A type of virus scanning that attempts to identify malware by discovering malware-like behavior.

Polymorphic virus

A type of virus that changes its characteristics (such as the arrangement of its bytes, size, and internal instructions) every time it is transferred to a new system, making it harder to identify.

Stealth virus

A type of virus that hides itself to prevent detection. Typically, stealth viruses disguise themselves as legitimate programs or replace part of a legitimate program's code with their destructive code.

Wildcard mask

A variation of a network address that specifies a network segment (group of IP addresses) by using 0s in bits that must match the network address and 1s in bits that can hold any value. Wildcard masks are used in ACL statements to dictate which traffic can or cannot pass through.

File-infector virus

A virus that attaches itself to executable files. When the infected executable file runs, the virus copies itself to memory. Later, the virus attaches itself to other executable files.

Encrypted virus

A virus that in encrypted to protect detection.

Boot sector virus

A virus that positions its code on the boot sector of a computer's hard drive so that, when the computer boots up, the virus runs in place of the computer's normal system files. Boot sector viruses are commonly spread from external storage devices to hard disks.

Network virus

A virus that propagates itself via network protocols, commands, messaging programs, and data links. Although all viruses could theoretically travel across network connections, network viruses are specially designed to attack network vulnerabilities.

Macro virus

A virus that takes the form of a macro (such as the kind used in a word-processing or spreadsheet program), which may execute when the program is in use.

Vulnerability

A weakness of a system, process, or architecture that could lead to compromised information or unauthorized access to a network.

Group Policy (gpedit.msc)

A windows utility that is used to control what users can do and how the system can be used. Group Policy works by making entries in the Registry, applying scripts to Windows start-up, shutdown, and logon processes, and affecting security settings.

Dissolvable agent

Agent software that remains on a device long enough to verify compliance and complete authentication, and then uninstalls. Devices might be required to periodically reinstall the agent to complete the authentication process again.

Implicit deny

An ACL rule which ensures that any traffic the ACL does not explicitly permit is denied by default.

User awareness

An NGFW (Next Generation Firewall) feature that adapts a firewall's configuration to the class of a specific user or user group.

Context Aware

An NGFW (Next Generation Firewall) feature that enables a firewall to adapt to various applications, users, and devices.

Application Control

An NGFW (Next Generation Firewall) feature that gives a firewall some level of application awareness functionality, meaning the firewall can monitor and limit the traffic of specific applications, including the application's vendor and digital signature.

Security audit

An assessment of an organization's security vulnerabilities performed by an accredited network security firm.

Posture assesment

An assessment of an organization's security vulnerabilities. Posture assessments should be performed at least annually and preferably quarterly-- or sooner if the network has undergone significant changes. For each risk found, it should rate the severity of a potential breach , as well as its likelihood of happening.

Ping of death

An attack in which a buffer overflow condition is created by sending an ICMP packet that exceeds the maximum 65,535 bytes, often resulting in a system crash. Today's systems, however, are designed to resist these attacks.

Session hijacking attack

An attack in which a session key is intercepted and stolen so that an attacker can take control of a session. One type of session hijacking attack that relies on intercepted transmissions is a man-in-the-middle (MitM) attack.

Denial-of-service (DoS) attack

An attack in which a system becomes unable to function because it has been inundated with requests for services and can't respond to any of them. As a result, all data transmissions are disrupted.

FTP bounce

An attack in which an FTP client specifies a different host's IP address and port number for the requested data's destination. By commanding the FTP server to connect to a different computer, a hacker can scan the ports on other hosts and transmit malicious code. To thwart FTP bounce attacks, most modern FTP servers will not issue data to hosts other than the client that originated the request.

Flashing

An attack in which an Internet user sends commands to another Internet user's machine that case the screen to fill with garbage characters. A flashing attack causes the user to terminate their session.

IP Spoofing

An attack in which an outsider obtains internal IP addresses and then uses those addresses to pretend that he has authority to access a private network from the Internet.

Banner-grabbing attack

An attack in which hackers transmit bogus requests (or, sometimes, successful requests) for connection to servers or applications in order to harvest useful information to guide their attack efforts.

Distributed Dos (DDos) attack

An attack in which multiple hosts simultaneously flood a target host with traffic, rendering the target unable to function.

Amplification attack

An attack instigated using small, simple requests that trigger very large responses from the target. DNS, NTP, ICMP, and SNMP lend tehmselves to being used in these kinds of attacks.

Permanent DoS (PDoS) attack

An attack on a device that attempts to alter the device's management interface to the point where the device is irreparable.

Jamming

An attack on a wireless network in which an attacker creates a high volume of illegitimate wireless traffic and overwhelms the wireless network.

man-in-the-middle (MitM) attack

An attack that relies on intercepted transmission. It can take one of several forms, but in all cases a person redirects or captures secure data while in transit.

Zero-day exploit

An exploit that takes advantage of a software vulnerability that hasn't yet become public, and is known only to the hacker who discovered it. Zero-day exploits are particularly dangerous because the vulnerability is exploited before the software developer has the opportunity to provide a solution for it.

Reflector

An uninfected computer used in a DDoS attack where the computer is tricked into responding to a bogus request for a response, prompting the computer to send a response to the attacker's target.

Master zombie

An upper-layer host in a botnet.

Dropped Implicit deny

Any traffic that is not explicitly permitted in the ACL is ______, which is called the _________.

Layer 7

At what layer of the OSI model do proxy servers operate? a. Layer 3 b. Layer 2 c. Layer 7 d. Layer 4

Bot

Short for robot, a program that runs automatically. Bots can spread viruses or other malicious code between users in a chat room by exploiting the IRC protocol.

SIEM (Security Information and Event Management)

Software that can be configured to avaluate data logs from IDS, IPS, firewalls, and proxy servers in order to detect significant events that require the attention of IT staff according to predefined rules.

Port scanner

Software that searches a server, switch, router, or other device for open ports, which can be vulnerable to attack.

Spoofing

The act of impersonating fields of data in a transmission, such as when a source IP address is impersonated in the DRDoS attack.

Social engineering

The act of manipulating social relationships to circumvent network security measures and gain access to a system.

Signature scanning

The comparison of a file's content with known malware signatures (unique identifying characteristics in the code) in a signature database to determine whether the file is dangerous.

Emission Security (EmSec)

The implementation of TEMPEST, which is a specification created by the NSA to define protection standards against RF emanation.

Outbound traffic

Traffic attempting to exit a LAN.

To be a virus it must replicate itself with the intent to infect more computers.

What distinguishes a virus from other types of malware?

Active Directory

What feature of Windows Server allows for agentless authentication? a. Active Directory b. ACL (access control list) c. IDS (intrusion detection system) d. Network-based firewall

Content-Filtering firewall

What kind of firewall blocks traffic based on application data contained within the packets? a. Host-based firewall b. Content-filtering firewall c. Packet-filtering firewall d. Stateless firewall

Boot sector viruses

What kind of virus runs in place of the computer's normal system files? a. Worms b. Macro viruses c. File-infector viruses d. Boot sector viruses

Buffer overflow

What kind of vulnerability is exploited by a ping of death? a. Zero-day exploit b. Buffer overflow c. Social engineering d. Backdoor

Wrong people being able to log in.

What kinds of issues might indicate a misconfigured ACL?

UTM (Unified Threat Management)

What of the following features does not distinguish an NGFW from traditional firewalls? a. Application Control b. IDS and/or IPS c. User awareness d. UTM (Unified Threat Management)

Agent

What software might be installed on a device in order to authenticate it to the network? a. Operating system b. Security policy c. NAC (network access control) d. Agent

Because the vulnerability is exploited before the software developer has the opportunity to provide a solution for it.

What unique characteristic of zero-day exploits make them so dangerous?

Jamming

What wireless attack might a potential hacker execute with a specially configured transmitter? a. Jamming b. Vulnerability c. Evil twin d. Zero-day exploit

IDS creates alerts when suspicious activity happens. IPS prevents traffic from reaching the network.

What's the difference between an IDS and an IPS?

DRDoS (distributed reflector DoS) attack

Which type of DoS attack orchestrates an attack using uninfected computers? a. DDoS (distributed DoS) attack b. Smurf attack c. DRDoS (distributed reflector DoS) attack d. PDoS (permanent DoS) attack

Posture assessment

Your organization has just approved a special budget for a network security upgrade. What procedure should you conduct in order to make recommendations for the upgrade priorities? a. Data breach b. Security audit c. Exploitation d. Posture assessment