Networking - Chapter 3
facial recognition
A biometric technology that looks for unique measurements in an individual's face.
access control list (ACL)
A clearly defined list of permissions attached to an object that specifies what actions an authenticated user may perform on a shared resource.
identity theft
A crime that involves thieves collecting enough data about a victim to pretend to be another person in order to steal money or obtain benefits
fingerprint recognition
A technique for authenticating computer users by scanning their fingerprints. Inexpensive but poor precision, deceivable. Sufficient only for low-risk issues.
Distributed Denial of Service (DDoS)
An attack that uses multiple zombie computers - bots - (even hundreds or thousands) in a botnet to flood a device with requests.
zero day attack
Attack between the time a software vulnerability is discovered and a patch to fix the problem is released.
Threat Environment
Attacks and attackers that companies face
digital certificate authentication
Authentication in which each party has a secret private key and a public key. the Sender encrypts the message using the Private key, the Receiver decrypts using Public key
List the criminal groups beside the attackers that were involved in the overall process
Crimeware shops, online card shops, counterfeiters
How do viruses and worms differ?
Viruses attach themselves to programs on your computer, whereas worms are their own program and they spread by themselves through vulnerabilities in other computers.
Antivirus programs check for:
Viruses, worms, trojan horses and other forms of malware
For what application is SSL/TLS mostly used
Web applications because SSL/TLS is built into every webserver and browser today, so protection can be added at a negligible cost
cryptographic system
a bundle of protections that work automatically, including initial authentication, message by message protection for authentication, integrity, and confidentiality
In digital certificate authentication, the verifier sends this to a supplicant claiming to be the true party:
a challenge message
vulnerability
a flaw in a program that permits a specific attack or set of attacks against this program to succeed
personal identification number (PIN)
a form of authentication whereby the user supplies a number (4-6 digits) that only he or she knows
malware
a general term for evil, malicious software, such as spyware, computer viruses, and worms
script
a group of commands written in a simplified programming language, usually JavaScript. Executes when a webpage loads or the user takes a particular action.
password dictionaries typically have three types of entries
a list of common passwords, the words in standard dictionaries, and hybrid versions of these words (with capitalization or special characters added)
SPI firewalls only make a decision whether or not to pass:
a packet for non-connection opening attempts. It does not have to make a decision about the entire connection as it does in connection opening attempts
firewall
a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.
spear phishing
a phishing expedition in which the emails are carefully designed to target a particular person or organization
Firewalls pass all attack packets, even if they are suspicious, as long as they are not
a provable attack packet
Challenge message
a random bit string
exhaustive search
a search that continues until the test item is compared with all items in the memory set
How did attackers exfiltrate data from the Target network?
Data was collected at the POS terminal and sent to both the legitimate target servers, but also to a holding server for storing the data temporarily. The attackers then compromised another server that would deliver the data to the attackers outside of the Target network
Command control server
a server that in a distributed denial of services attack (DDos) is used to receive orders and sends the attack command to bots in a bot net. Makes the botmaster difficult to identify
patch
a small program designed to fix a security vulnerability
Advanced Persistent Threat (APT)
a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments
certificate authority (CA)
a trusted organization that can vouch for the authenticity of the person or organization using authentication, distributes the public key of a person in a document
supplicant
a user that is trying to prove his or her identity in authentication
host to host virtual private network (VPN)
addresses a lack of security through communication with cryptographic protections
if a packet is not a provable attack packet, the firewall will
allow it to pass
Electronic signatures provide message integrity by:
allowing the receiver to detect if the packet is altered by an attacker while the packet is in transit
Behavioral patterns
an analysis of what the program is attempting to do (e.g. reformat the hard drive - an undeniable indication of malware)
Explain "advanced" in advanced persistent threats (APT)
attackers use extremely advanced techniques that often begin with a highly targeted spear phishing attack
Explain "persistence" in the context of advanced persistent threats (APT)
attacks are usually long term that can last weeks, months and even years
The issue for hacking is
authorization (which goes beyond finding a user name and password left somewhere negligently. this is not authorization)
why is facial recognition controversial
because it can be done surreptitiously (without the supplicant's knowledge) and that raises privacy issues
why do users not have to worry about the details of cryptographic processes when they are using a VPN
because the VPNs always use a cryptographic system, which is a bundle of protections that work automatically
iris recognition
biometric system; compares iris color patterns to database. expensive but precise and difficult to deceive
What is the person who controls a collection of compromised computers called?
bot master
What is a collection of compromised computers called?
botnet
Which programs directly attack the victim in a distributed denial of service (DDoS) attack?
bots
complex passwords can only be cracked by a
brute force attack
What type of adversary are most hackers today?
career criminals that hack for money
what type of organization will provide a verifier with the true party's digital certificate
certificate authority (CA)
spyware trojans
collect sensitive data and send the data to an attacker
botnet
collection of captured bot computers used in a distributed denial of service (DDoS) attack
To what computer does an attacker (bot master) send messages?
command control server
Good passwords have two characteristics
complex (have a mix of upper and lower case letters, no regular pattern, include non-letter characters), and long (between 8-12 characters)
propagation vectors
computer-to-computer transmission methods
SSL/TLS
cryptographic protocols that provide communications security over a computer network
provable attack packet
data identified as malicious by firewall -- and then discarded
Application awareness
deep inspection gives next generation firewalls the ability to identify the type of application that created a particular stream of messages and permits the firewall to execute pass/drop rules based on application policies
Functionality found in Next Generational Firewalls (NGFW)
deep inspection, application awareness, intrusion detection system functionality, intrusion prevention functionality, reputation management, NAT and VPN traversal and wire speed operation
An electronic signature allows the receiver to:
detect a message added to the dialogue by an imposter
contains the public key and other identification information of a user.
digital certificate
what electronic document contains the true party's public key?
digital certificate
strongest method of authentication
digital certificate authentication
if a packet is a provable attack packet, the firewall will
discard it
Advanced Encryption Standard (AES)
dominant symmetric key encryption cipher in use today
Reputation Management
External services that compile lists of websites and other resources with very good reputations (white lists) and very bad reputations (blacklists). These lists can be used to inform decisions about packets to and from these sites
Typical propagation vectors (worms)
email attachments, visits to websites (even legitimate ones), social networking sites, many others (USB RAM sticks, peer to peer filing sharing, etc.). These require human gullibility, which is widespread but slow
Next-Generation Firewalls
Firewalls that use deep inspection, examines all fields in the internet and transport layer, examines transport layer content (including reassembling application messages from multiple segments)
Which employees are the most dangerous if they become an attacker/hacker?
IT and security employees because they already have access, know the systems, know how to avoid detection, and are trusted by the organization
Encryption for confidentiality
encrypting messages so that if an eavesdropper intercepts a message, he or she will not be able to read it. The sender uses a cipher to create the message and the receiver decrypts the message in order to read it
What three protections does cryptographic systems provide to every packet?
encryption for confidentiality provides message by message confidentiality, electronic signatures provide message by message authentication and message integrity
In digital certificate authentication, what does the supplicant do?
encrypts the challenge message using their private key and sends the response message to the verifier
default rule (in an access control list)
ensures that unless a packet is explicitly allowed by an earlier rule, it is dropped and logged
approved connections table
In SPI, a connection is added to this if it is permitted by SPI. Each connection has a row containing the IP address and port number of the internal host (internal socket) and the IP address and port number of the external host (external socket) for each connection
career criminal hackers
In security, an attacker who is primarily interested in making money from security breaches.
Hacking
Intentionally accesses a computer without authorization or exceeds authorized access. I
Intrusion Prevention System (IPS)
Intrusion detection systems (IDSs) that drop packets that are suspicious but for which there is a confidence that they are attacks
How does a trojan horse differ from viruses, worms, and mobile code?
It cannot spread from one computer to another by itself. It must be placed there by another piece of malware, by a human attacker, or by downloading the program voluntarily
Stateful packet inspections (SPI) firewalls are inexpensive overall because:
It focuses on packets that are attempting to open a connection (<= 1% of packets) and uses less processing power for packets that are not attempting to open a connection (>= 99%) of all packets
In SPI, if a packet is not attempting to open a connection and it is not part of an approved connection
It must be spurious, and it is dropped and logged
What are the most frequent types of attacks on companies?
Malware attacks
downloaders
Malware that downloads and installs another program on the computer
Why is signature detection not sufficient for an antivirus program?
Many malware programs mutate, changing their signatures. Also, there are now too many malware programs to test for all malware signatures
What two protections do electronic signatures provide?
Message by message authentication and message integrity
What resources can hackers purchase and sell over the internet?
exploit programs with slick interfaces and prepaid annual updates, credit card information and identity information
Deep inspection
Next generation firewalls most fundamental function. Looks at everything in the packet, including the application message segment and all fields in the IP header and the TCP or UDP header. Also reassembles packet streams to read application messages
ingress filtering
filtering packets arriving at a network from the outside
Stateful Packet Inspection (SPI)
firewall filtering mechanism that treats different types of packets differently, spending more resources on the riskiest packets and less on the least risky
what is VPN traversal?
firewalls allow VPN traffic to traverse them without filtering (tradeoff between encryption security and filtering security)
Is it generally illegal to write malware in the United States?
No, it not illegal to write malware but it is illegal to release the malware to do damage or to sell the malware to be used in that way
Does a firewall drop a packet if it probably is an attack packet?
No. It only drops provable attack packets
Are Bots limited to DDoS attacks?
No. They are general-purpose exploitation programs the botmaster can remotely update with new capabilities after installation
Are scripts normally bad?
No. scripts are normally benign but may be damaging if the browser has a vulnerability
Does all malware have a payload?
No; however, even malware without payloads can do damage such as cause a computer to run slowly or crash
Cons of reusable passwords
Often weak (easy to crack)
public key
One of the keys used in asymmetric encryption systems. It is widely distributed and available to everyone.
What gives bots flexibility?
Payloads allow bots to be upgraded remotely by hackers enhancing its capabilities
payloads
Pieces of code that do damage
Cyberwar/cyberterrorism
Politically motivated attacks designed to compromise the electronic infrastructure of an enemy nation and disrupt its economy.
Trojan HOrses
Programs that come into a computer system disguised as something else
Why may employees, ex-employees, and other insiders become attackers?
Revenge or theft
The most common cryptographic system for browser-webserver VPNs is:
SSL/TLS (Secure Socket Layer and Transport Layer Security)
SSL/TLS is an attractive cryptographic system for webservers because:
SSL/TLS is built into every webserver and browser today, so the cost of adding SSL/TLS protection is negligible
Mobile code on webpages
Scripts. HTML webpages can contain scripts called mobile code because they are downloaded with the webpage
How does security thinking differ from network thinking?
Security thinking anticipates the actions of intelligent adversaries who will try to many things to succeed and adapt to the defenses you put in place. Network thinking focuses on adequate planning, software bugs, and mechanical breakdowns.
Symmetric Key Encryption
Sender and receiver use single, shared key
In digital certificate authentication, what does the verifier do?
Sends a supplicant a challenge message, receives the response message (the challenge message encrypted with the supplicant's private key), obtains the true party's public key, decrypts the response message using the true party's public key to see if the response produces the original challenge message
Wire-speed operations
firewalls can receive and process traffic at the full speed of the lines coming into them. they do this by relying on application specific integrated circuits that can process NGFW more quickly
Most Denial of Service (DoS) attacks involve
flooding victim computers with attack packets - a distributed DoS attack
Intrusion Detection System (IDS)
focus specifically on identifying suspicious transmissions and log them for firewall administrators to examine. If the threat appears to be very serious, the IDS sends an alarm to firewall administrators. Can also produce false alarms that can dull vigilance
old school hackers
hackers driven by curiosity, a desire for power, and peer reputation
Dictionary attacks
hackers run through the password dictionary to see if a password is accepted for a username to break into a host
Social Engineering
hackers use their social skills to trick people into revealing access credentials or other valuable information (such as open email attachments or visit websites)
To prove its claim to being the true party, the supplicant encrypts the challenge message using
his or her private key
What protection does confidentiality provide?
if an eavesdropper intercepts a message, he or she will not be able to read it
true party
in digital certificate authentication, the supplicant first claims to be the true party
why are passwords widely used
inexpensive because they are built into operating systems and they are easy to use (users are familiar with them)
In SPI, if a packet is part of an established connection (in the access connections table)
it is passed without further inspection
directly propagating worm
jumps to victim hosts directly, no action is required on the part of the victim, target hosts must have a specific vulnerability for this to succeed. Can spread with amazing speed.
Limitations to stateful packet inspection (SPI) firewalls
limited to primarily examining socket date (IP address and port number), cannot detect what applications are actually using port 80, and cannot identify problems in streams of packets
password dictionaries
lists of passwords likely to succeed for a hacker to access a host
keys
long strings of bits
what types of passwords can only be broken into by brute force attacks
long, complex passwords
virus
malware that attaches itself to another program
worms
malware that is a stand-alone program that doesn't need to attach itself to another program
Cyberwar is conducted by
national governments
Can a password that can be broken into by a dictionary attack be adequately strong if it is very long
no password that is in a cracker dictionary is adequately strong, no matter how long it is
passwords are only useful for
nonsensitive assets
What kind of TCP packets attempt to open a connection
only packets with SYN segments
States for stateful packet inspection firewall filtering
opening a connection and ongoing communication
vendors release this to close vulnerabilities
patch
weakness of long and complex passwords
people often write them down
access cards
permit door access, can be used for computer access
egress filtering is done to:
prevent sensitive corporate information from being transmitted outside the firm
credentials
proof of identity
Authentication
proving a sender's identity
digital certificate
public key of a person in a document, distributed by a certificate authority (CA)
application specific integrated circuits
purpose-built computer chips that can process NGFW functions far more quickly than traditional firewalls
The challenge of creating next generation firewalls
require extremely large amount of processing power, but at the same time they must delay traffic
two factor authenticiation
requires two credentials for authentication. increases the strength of authentication
The most common authentication credential
reusable password
The weakest form of authentication
reusable password
proximity access cards
same as access cards, but don't need to swipe to gain access
Antivirus programs use what to detect malware?
signature detection and behavioral detection
what types of passwords are susceptible to dictionary attacks
simple passwords - common passwords, words in standard dictionaries, and hybrids of these things
Electronic signatures
small bit strings that provide message-by-message authentication
distinguish between social engineering in general and phishing
social engineering attacks generally try to trick the victim into doing something against personal or organization interests, phishing uses authentic looking emails and sites to do this
Most firewalls today use this firewall filtering mechanism
stateful packet inspection (SPI)
reusable password
string of characters user types to gain access to resources associated with a user name. Can be used repeatedly so it is reusable. It is also the weakest form of authentication, so it is appropriate only for the least sensitive assets
why must authentication be appropriate for risks to be an asset
strong authentication is expensive and often inconvenient so it is most appropriate for strong authentication to be used for very sensitive information. For relatively non-sensitive data, weaker but less expensive authentication methods may be sufficient
Cyberterror attacks are conducted by
terrorists
Stateful packet inspection (SPI) states and filtering intensity
the SPI firewall filtering focuses resources on the connection opening attempt (the riskiest state) and less on the ongoing communication (which is less risky)
firewall log file
the firewall copies information about each discarded packet in order to understand the types of attacks coming against the resources that the firewall is protecting
cipher
the generic term for a technique (or algorithm) that performs encryption
Denial of service (DoS) attacks
the goal is to make a computer or entire network unavailable to its legitimate users
firewall filtering mechanisms
the methods used by firewalls to examine packets to see if they are attack packets
SPI firewalls focus on which state?
the most risky - the opening state (versus the ongoing state)
verifier
the party requiring a supplicant to prove his or her identity in authentication
brute force attack
the password cracker tries every possible combination of characters
In digital certificate authentication, does the verifier decrypt with the true party's public key or the supplicant's public key?
the true party's private key
biometics
the use of body measurements to authenticate you
cryptography
the use of mathematical operations to protect messages traveling between parties or stored on a computer
after propagation, viruses and worms execute:
their payloads. Payloads are malicious code that does damage such as erase hard disks or send users to porn sites when they mistype urls
Both firewalls and antivirus programs attempt to stop attacks, but:
they work at different levels. Firewalls work at the level of packets and groups of packets. Antivirus programs examine entire files.
What is the purpose of a denial of service (DoS) attack?
to make a computer or entire network unavailable to its legitimate users
exploit
to take advantage of; the act of breaking into a computer; the piece of software or procedure (or a combination) that is used to take over the host by sending exploit packets
why is it important to read firewall logs daily
to understand the types of attacks coming against the resources that firewalls are protecting
NAT and VPN traversal
traditional firewall functionality. VPN traversal passes encrypted traffic without inspection.
phishing attacks
type of social engineering attack that uses legitimate-looking e-mails or Web sites created in an attempt to obtain confidential data about a person
spam
unsolicited commercial email
Virtual Private Network (VPN)
uses the internet to create the appearance of private, secure connections
The earliest pieces of malware were?
viruses and worms
What is the name given to a vulnerability specific attack that occurs before a patch is available?
zero-day attack
Why are scripts call mobile code?
Because they travel with the downloaded webpage from the webserver to the browser
How did attackers gain access to Target's network?
Stole credentials from a Target vendor, likely from a spear fishing email to a vendor employee that tricked him or her into loading malware onto his or her machine. The attacker used the credentials to get access to the vendor servicer and used this to move more deeply into the Target network.
AES supports multiple strong key lengths up to:
256 bits
Why are cyberwar and cyberterror attacks especially dangerous?
3 reasons. (1)funding allows them to be extremely sophisticated; (2) they focus on doing damage instead of committing thefts; (3) they are likely to be directed against many targets simultaneously for massive damage
Hacking attacks typically take place in two stages:
(1) The exploit (code, software, procedure or a combination that an attacker uses to take over the host by sending exploit packets. also means the act of breaking into a computer) and (2) after the break in (manually exploits the resource or leaves a trojan horse behind for continuous automated exploitation)
surreptitious
(adj.) stealthy, secret, intended to escape observation; made or accomplished by fraud
In two-way dialogues using symmetric key encryption, how many keys are used for encryption and decryption?
1
Benefits of reusable passwords
1. Ease of use for users (familiar) 2. Inexpensive because they are built into operating systems.
Steps for digital certificate authentication
1. the supplicant claims to be the true party. 2. the verifier tests the claim by sending the supplicant a challenge message. 3. the supplicant encrypts the challenge message using his or her private key and sends the response message to the verifier. 4. the verifier gets the supplicant's digital certificate containing the true party's public key) 5. the verifier decrypts the message using the true party's public key. if the message contains the original challenge message, the supplicant is verified as the true party. NOTE: the verifier uses the public key of the true party, not the supplicant's public key
To be considered strong, keys have to be at least how long?
100 bits
Anti-virus signature detection
AV programs look for malware signatures - snippets of code that indicate specific malware programs
What were the steps take by the attackers in the Target breach?
Stole credentials from a Target vendor, likely from a spear fishing email to a vendor employee that tricked him or her into loading malware onto his or her machine. The attacker used the credentials to get access to the vendor servicer and used this to move more deeply into the Target network. The attacker uploaded POS malware purchased from an online crimeware shop to a malware download shop within Target. The malware was downloaded to POS systems and the malware collected magnetic stripe data from card swipes and sent it to the attackers as well as to the legitimate Target server. The attackers then sold the stolen data to counterfeiters.
egress filtering
The practice of monitoring and potentially restricting the flow of information outbound from one network to another
private key
The secret portion of an asymmetric key pair typically used to decrypt or digitally sign data. The private key is never shared and is always used for decryption, with one notable exception: The private key is used to encrypt the digital signature.
response message (in digital certificate authentication)
The supplicant encrypts the challenge message with his or her private key and sends itto the verifier
List the internal Target servers the attackers compromised
The vendor server, the malware download server (the internal target server that downloaded updates to POS systems), the holding server (server where data from POS terminals was stored temporarily); the Extrusion server (another servers that was used to deliver the data to attackers outside the Target network)
What is a problem with stateful packet inspection (SPI) firewalls?
They only look at IP addresses and port numbers in their rules. They do not look at everything in the packet, including at the application messages that are delivered
Why is two-factor authentication desirable?
Two factor authentication increases the strength of authentication. You will need two authentication rather than one
What is the biggest challenge with patches?
Users do not always install patches promptly or at all so they continue to be vulnerabilty
credit card number theft
Uses stolen credit card numbers in unauthorized transactions
