C480 Chapter 12

verickle's version from 2016-11-01 19:10

Security Fundamentals

Question Answer
Confidentialitykeeping data private
Symmetric Encryptionthe same key is used by both the sender and the receiver to encrypt or decrypt a packet (faster)
Asymmetric Encryptiondifferent keys for the sender and the receiver of a packet (slower)
Data Encryption Standard (DES)an older symmetric encryption algorithm (developed in the mid 1970s) using a 56-bit key. It is considered weak by today's standards.
Triple DES (3DES)(symmetric) developed in the late 1990s, uses three 56-bit DES keys (for a total of 168 bits) and is usually considered a strong encryption algorithm.
Advanced Encryption Standard (AES)released in 2001, is typically considered the preferred symmetric encryption algorithm
Integrityensures that data has not been modified in transit
Hashingtakes a string of data (such as a password) and runs it through an algorithm. The result of the algorithm is called a hash or a hash digest.
Message digest 5 (MD5)Creates 128-bit hash digests
Secure Hash Algorithm 1 (SHA-1)Creates 160-bit hash digests
Availabilitya measure of the data's accessibility

Categories of Network Attacks

Question Answer
Confidentiality Attacksattempts to make confidential data (for example, personnel records, usernames, passwords, credit card numbers, or e-mails) viewable by an attacker
Packet/Protocol Abuseoccurs when a hacking tool is specially used for crafting the packet in a way other than that the protocol originally intended
Integrity Attacksattempt to alter data
Availability Attacksattempt to limit the accessibility and usability of a system. For example, if an attacker were able to consume the processor or memory resources on a target system, that system might be unavailable to legitimate users.
Denial of Servicesending the target system a flood of data or requests that consume the target system's resources
Distributed Denial of Servicean attacker compromises multiple systems, and those compromised systems, called zombies or botnets, can be instructed by the attacker to simultaneously launch a DDoS attack against a target system
TCP SYN FloodOne variant of a DoS attack is for an attacker to initiate multiple TCP sessions by sending SYN segments but then never complete the three-way TCP handshake.
Buffer Overflowprogram attempts to write more information than the buffer can accommodate
ICMP Attacksattackers can use ICMP for DoS attacks

Confidentiality Attack Tactics

Question Answer
Packet captureA packet-capture (also known as packet sniffing) utility (such as Wireshark []) can capture packets using a PC's network interface card (NIC) by placing the NIC in promiscuous mode. Some protocols, such as Telnet and HTTP, are sent in plain text. Therefore, these types of captured packets can be read by an attacker, perhaps allowing the attacker to see confidential information.
Ping sweep and port scanA confidentiality attack might begin with a scan of network resources to identify attack targets on a network. A ping sweep could be used to ping a series of IP addresses. Ping replies might indicate to an attacker that network resources were reachable at those IP addresses. After a collection of IP addresses is identified, the attacker might scan a range of UDP or TCP ports to see what services are available on the hosts at the specified IP addresses. Also, port scans often help attackers identify the operating system running on a target system. These attacks are also commonly referred to as reconnaissance attacks.
Dumpster divingBecause many companies throw away confidential information, without proper shredding, some attackers rummage through company dumpsters in hopes of discovering information that could be used to compromise network resources.
Electromagnetic interference (EMI) interceptionBecause data is often transmitted over wire (for example, unshielded twisted pair), attackers can sometimes copy information traveling over the wire by intercepting the EMI being emitted by the transmission medium. These EMI emissions are sometimes called emanations. Tempest was the name of a government project to study the ability to understand the data over a network by listening to the emanations. Tempest rooms are designed to keep emanations contained in that room to increase security of data communications happening there.
WiretappingIf an attacker gains physical access to a wiring closet, he might physically tap into telephone cabling to eavesdrop on telephone conversations, or he might insert a shared media hub inline with a network cable, allowing an attacker to connect to the hub and receive copies of packets flowing through the network cable.
Man-in-the-middle (MitM)If an attacker can get in the direct path between a client and a server, the attacker can then eavesdrop on their conversation. If cryptography is being used and the attacker fools the client and server both into building VPNs to the attacker instead of to each other, the attacker can see all the data in clear text. On a local Ethernet network, methods such as Address Resolution Protocol (ARP) spoofing, ARP cache poisoning, Dynamic Host Configuration Protocol (DHCP) spoofing, and Domain Name System (DNS) spoofing are all mechanisms that may be used to redirect a client's traffic through the attacker, instead of directly to the server.
Social engineeringAttackers sometimes use social techniques (which often leverage people's desire to be helpful) to obtain confidential information. For example, an attacker might pose as a member of an organization's IT department and ask a company employee for his login credentials for the "IT staff to test the connection."
Sending information over overt channelsAn attacker might send or receive confidential information over a network using an overt channel. An example of using an overt channel is tunneling one protocol inside another (for example, sending instant-messaging traffic via HTTP). Steganography is another example of sending information over an overt channel. An example of steganography is sending a digital image made up of millions of pixels with "secret" information encoded in specific pixels, where only the sender and the receiver know which pixels represent the encoded information.
Sending information over covert channelsAn attacker might send or receive confidential information over a network using a covert channel, which can communicate information as a series of codes/even. For example, binary data could be represented by sending a series of pings to a destination. A single ping within a certain period of time could represent a binary 0, and two pings within that same time period could represent a binary 1.
MalwareAfter a single machine in a company is compromised and is running malicious software, the attacker can then use that single computer to proceed further into the internal network using the compromised host as a pivot point. The malware may have been implemented by an outside attacker or by an inside disgruntled employee. Antivirus and antimalware should be run on all systems, and users should be given very limited rights related to installation of any software on the computers they use.
FTP bounceFTP supports a variety of commands for setting up a session and managing file transfers. One of these commands is the port command, and it can, in some cases, be used by an attacker to access a system that would otherwise deny the attacker. Specifically, an attacker connects to an FTP server using the standard port of 21. However, FTP uses a secondary connection to send data. The client issues a port command to specify the destination port and destination IP address for the data transmission. Normally, the client would send its own IP address and an ephemeral port number. The FTP server would then use a source port of 20 and a destination port specified by the client when sending data to the client. However, an attacker might issue a port command specifying the IP address of a device they want to access, along with an open port number on that device. As a result, the targeted device might allow an incoming connection from the FTP server's IP address, while a connection coming in from the attacker's IP address would be rejected. Fortunately, most modern FTP servers do not accept the port command coming from a device that specifies a different IP address than the client's IP address.

Integrity Attacks

Question Answer
Salami attackA salami attack is a collection of small attacks that result in a larger attack when combined. For example, if an attacker has a collection of stolen credit card numbers, the attacker could withdraw small amounts of money from each credit card (possibly unnoticed by the credit card holders). Although each withdrawal is small, the combination of the multiple withdrawals results in a significant sum for the attacker.
Data diddlingThe process of data diddling changes data before it is stored in a computing system. Malicious code in an input application or a virus could perform data diddling. For example, a virus, Trojan horse, or worm could be written to intercept keyboard input, and while displaying the appropriate characters onscreen (so that the user does not see an issue), manipulated characters could be entered into a database application or sent over a network.
Trust relationship exploitationDifferent devices in a network might have a trust relationship between themselves. For example, a certain host might be trusted to communicate through a firewall using specific ports, while other hosts are denied passage through the firewall using those same ports. If an attacker were able to compromise the host that had a trust relationship with the firewall, the attacker could use the compromised host to pass normally denied data through a firewall. Another example of a trust relationship is a web server and a database server mutually trusting one another. In that case, if an attacker gained control of the web server, he might be able to leverage that trust relationship to compromise the database server.
Password attackA password attack, as its name suggests, attempts to determine the password of a user. Once the attacker gains the username and password credentials, he can attempt to log in to a system as that user and inherit that user's set of permissions. Various approaches are available to determine passwords, including the following:
Trojan horseA Trojan horse is a program that appears to be a useful application but might capture a user's password and then make it available to the attacker.
Packet captureA packet-capture utility can capture packets seen on a PC's NIC. Therefore, if the PC can see a copy of a plain-text password being sent over a link, the packet-capture utility can be used to glean the password.
KeyloggerA program that runs in a computer's background and logs keystrokes that a user makes. After a user enters a password, the password is stored in the log created by the keylogger. An attacker can then retrieve the log of keystrokes to determine the user's password.
Brute forceThis attack tries all possible password combinations until a match is made. For example, the brute-force attack might start with the letter a and go through the letter z. Then the letters aa through zz are attempted, until the password is determined. Therefore, using a mixture of upper- and lowercase, in addition to special characters and numbers, can help mitigate a brute-force attack.
Dictionary attackSimilar to a brute-force attack, in that multiple password guesses are attempted. However, the dictionary attack is based on a dictionary of commonly used words, rather than the brute-force method of trying all possible combinations. Picking a password that is not a common word helps mitigate a dictionary attack.
BotnetA software robot is typically thought of as an application on a machine that can be controlled remotely (for example, a Trojan horse or a backdoor in a system). If a collection of computers is infected with such software robots, called bots, this collection of computers (each of which is known as a zombie) is called a botnet. Because of the potentially large size of a botnet, it might compromise the integrity of a large amount of data.
Hijacking a sessionAn attacker could hijack a TCP session, for example, by completing the third step in the three-way TCP handshake process between an authorized client and a protected server. If an attacker successfully hijacked a session of an authorized device, he might be able to maliciously manipulate data on the protected server.
Banner GrabbingA process which is generally used by hackers in which they connect to the device using protocols such as SMTP, Telnet or HTTP and then generate an error message that displays the banner. On gaining the information, they can look for weaknesses in the system.

Electrical Disturbances

Question Answer
Power spikesExcess power for a brief period of time
Electrical surgesExcess power for an extended period of time
Power faultA brief electrical outage
BlackoutAn extended electrical outage
Power sagA brief reduction in power
BrownoutAn extended reduction in power

Physical Controls

Question Answer
MantrapsA small space with two sets of interlocking doors
Network Closets and Server Roomsplaces where network hardware and servers are stored. Equipment are organized and kept safe from accidental damage or interference as they are not exposed to open areas.
Video MonitoringVisual awareness of an organization can be increased by video monitoring system.
Door Access ControlsElectronic keypads, card readers, intercoms

Security Policies

Question Answer
Governing Policyaddresses security concepts deemed important to an organization
Technical Policiesprovide a more detailed treatment of an organization's security policy, as opposed to the governing policy
Network Policies a prescribed set of statements for defining network functions. For a particular organization, it describes the acceptable use policies in detail about network equipment and the proper methods for upgrading, maintaining, and troubleshooting the network.
End-User Policiesaddress security issues and procedures relevant to end users
Standardssupport consistency within a network
Guidelinestend to be suggestions. For example, a series of best practices
Proceduresdetailed documents that provide step-by-step instructions for completing specific tasks
Incident ResponseHow an organization reacts to a security violation
Motivewhy the attacker committed the act

Vulnerability Scanners

Question Answer
Vulnerability Scannersapplications designed to check for a variety of known weaknesses
NessusTenable Network Security has a vulnerability scanning product called _____
Nmapa publicly available scanner
Access control lists (ACLs)rules usually applied to router interfaces that specify permitted and denied traffic