Study Guide - Summary PDF

Preview

Summary

Summary...

Description

Study Guide (Chapter 1, 11, 2, 3, 4, 5, 6, 7, 8, 9, 10)

Chapter 1 (Modern Network Security Threats) Study Guide 1.1.1 Explain the common network security terms - Vulnerability, threat, risk and mitigation

Vulnerability – This is defined as a weakness or flaw in the network. The vulnerability can be exploited by an attacker to negatively impact a network, or to access confidential data within an organisation. Sources of network vulnerabilities include weak and unsecure network protocols, configuration errors, or weak security policies. Threat – This is the potential for a vulnerability to turn into a network attack. Threats include malware, exploits, and more. Risk – This is the potential of a threat to exploit the vulnerabilities of an asset in order to negatively affect an organisation. Risk is measured using the probability of the occurrence of an event and its consequence.

1.1.2 Attacks can happen in any type of the networks, list the VMSpecific Threats

Mitigation – This is the action of reducing the severity of the vulnerability. Network security involves multiple mitigation techniques. Hyperjacking – An attacker could hijack a VM hypervisor (VM controlling software) and then use it as a launch point to attack other devices on the data center network. Instant on Activation – When a VM that has not been used for a period of time is brought online, it may have outdated security policies that deviate from the baseline security and can introduce security vulnerabilities.

1.1.2 List the core components of Cisco secure data centre solution

Antivirus Storm – This happens when all VMs attempt to download antivirus data files at the same time. Secure Segmentation – ASA devices and a Virtual Security Gateway integrated into the Cisco Nexus Series switches are deployed in a data center network to provide secure segmentation. This provides granular intervirtual-machine security. Threat Defense – ASAs and IPS devices in

data center networks use threat intelligence, passive OS fingerprinting, and reputation and contextual analysis to provide threat defense.

1.1.2 What do the critical Mobile Device Management features include?

Visibility – Visibility solutions are provided using software such as the Cisco Security Manager which help simplify operations and compliance reporting. Data Encryption – Most devices have built-in encryption capabilities, both at the device and file level. MDM features can ensure that only devices that support data encryption and have it enabled can access the network and corporate content. PIN Enforcement – Enforcing a PIN lock is the first and most effective step in preventing unauthorised access to a device. Furthermore, strong password policies can also be enforced by an MDM, reducing the likelihood of brute-force attacks. Data Wipe – Lost or stolen devices can be remotely fully or partially-wiped, either by the user or by an administrator via the MDM. Data Loss Prevention (DLP) – While data protection functions (like PIN locking, data encryption and remote data wiping) prevent unauthorised users from accessing data, DLP prevents authorised users from doing careless or malicious things with critical data.

1.2.1.1 Distinguish between white hat hackers, grey hat hackers and black hat hackers

Jailbreak/Root Detection – Jailbreaking (on Apple IOS devices) and rooting (on Android devices) are a means to bypass the management of a device. MDM features can detect such bypasses and immediately restrict a device’s access to the network or other corporate assets. White Hat Hackers – These are ethical hackers who use their programming skills for good, ethical, and legal purposes. White hat hackers may perform network penetration tests in an attempt to compromise networks and systems by using their knowledge of computer security systems to discover network vulnerabilities. Security vulnerabilities are reported to developers for them to fix before the vulnerabilities can be

exploited. Some organisations award prizes or bounties to white hat hackers when they inform them of a vulnerability. Grey Hat Hackers – These are individuals who commit crimes and do arguably unethical things, but not for personal gain or to cause damage. An example would be someone who compromises a network without permission and then discloses the vulnerability publicly. Grey hat hackers may disclose a vulnerability to the affected organisation after having compromised their network. This allows the organisation to fix the problem.

1.2.1.2 Identify Hacktivists, state sponsored hackers, script kiddies, cyber criminals and vulnerability brokers

Black Hat Hackers – These are unethical criminals who violate computer and network security for personal gain, or for malicious reasons, such as attacking networks. Black hat hackers exploit vulnerabilities to compromise computer and network systems. Hacktivists – These are grey hat hackers who rally and protest against different political and social ideas. Hacktivists publicly protest against organisations or government by posting articles, videos, leaking sensitive information, and performing distributed denial of service (DDoS) attacks. Hacktivists do not hack for profit, they hack for attention. They are usually politically or socially motivated cyber attackers who use the power of the Internet to promote their message. Two examples of hacktivist groups are Anonymous and the Syrian Electronic Army. Although most hacktivist groups are not extremely organized, they can cause significant problems for governments and businesses. Hacktivists tend to rely on fairly basic, freely available tools. State-Sponsored Hackers – Depending on a person’s perspective, these are either white hat or black hat hackers who steal government secrets, gather intelligence, and sabotage networks. Their targets are foreign governments, terrorist groups, and

corporations. Most countries in the world participate to some degree in statesponsored hacking. State-sponsored cyber hackers are the newest type of hacker. These are government-funded and guided attackers, ordered to launch operations that vary from cyber espionage to intellectual property theft. Many countries sponsor these hackers but very few will publicly admit they exist. Nations hire the best talent to create the most advanced and stealthy threats. State-sponsored hackers create advanced, customized attack code, often using previously undiscovered software vulnerabilities. An example of a state-sponsored attack involves the Stuxnet malware that was created to damage Iran’s nuclear enrichment capabilities. Script Kiddies – The term emerged in the 1990s and refers to teenagers or inexperienced hackers running existing scripts tools, and exploits, to cause harm, but typically not for profit. Cyber Criminals – These are black hat hackers who are either self-employed or working for large cybercrime organisations. Each year, cyber criminals are responsible for stealing billions of dollars from consumers and businesses. Cyber criminals are black hat hackers with the motive to make money using any means necessary. While sometimes these are lone wolves working independently, they are more often financed and sponsored by criminal organizations. It is estimated that globally, cyber criminals steal billions of dollars from consumers and businesses. Cyber criminals operate in an underground economy where they buy, sell, and trade attack toolkits, zero-day exploit code, botnet services, banking Trojans, keyloggers, and much more. They also buy and sell the private information and intellectual property

they steal from victims. Cyber criminals target small businesses and consumers, as well as large enterprises and industry verticals. Vulnerability Broker – These are usually grey hackers who attempt to discover exploits and report them to vendors, sometimes for prizes or rewards. 1.2.2.2 Brief different kinds of penetration testing tools

Password Crackers – Passwords are the most vulnerable security threat. Password cracking tools are often referred to as password recovery tools and can be used to crack or recover the password. This is accomplished either by removing the original password, after bypassing the data encryption, or by outright discovery of the password. Password crackers repeatedly make guesses in order to crack the password and access the system. Examples of password cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa. Wireless Hacking Tools – Wireless networks are more susceptible to network security threats. Wireless hacking tools are used to intentionally hack into a wireless network to detect security vulnerabilities. Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler. Network Scanning and Hacking Tools – Network scanning tolls are used to probe network devices, servers, and hosts for open TCP or UDP ports. Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools. Packet Crafting Tools – These tools are used to probe and test a firewall’s robustness using specifically crafted forged packets. Examples of such tools include Hping, Scapy, Socat, Yerinia, Netcat, Nping, and Nemesis. Packet Sniffers – These tools are used to capture and analyse packets within

traditional Ethernet LANs or WLANs. Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip. Rootkit Detectors – This is a directory and file integrity checker used by white hats to detect installed root kits. Examples tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter. Fuzzers to Search Vulnerabilities – Fuzzers are tools used by hackers when attempting to discover a computer system’s security vulnerabilities. Examples of fuzzers include Skipfish, Wapiti, and W3af. Forensic Tools – These tools are used by white hat hackers to sniff out any trace of evidence existing in a particular computer system. Example of tools include Sleuth Kit, Helix, Maltego, and Encase. Debuggers – These tools are used by black hats to reverse engineer binary files when writing exploits. They are also used by white hats when analysing malware. Debugging tools include GDB, WinDbg, IDA Pro, and Immunity Debugger. Hacking Operating Systems – These are specially designed operating systems preloaded with tools and technologies optimised for hacking. Examples of specially designed hacking operating systems include Kali Linux, SELinux, Knoppix, BackBox Linux. Encryption Tools – These tools safeguard the contents of an organisation’s data at rest and data in motion. Encryption tools use algorithm schemes to encode the data to prevent unauthorised access to the encrypted data. Examples of these tools include VeraCrypt, CipherShed, OpenSHH, OpenSSL, Tor, OpenVPN, and Stunnel. Vulnerability Exploitation Tools – These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability

exploitation tools include Metasploit, Core Impact, Sqimap, Social Engineer Toolkit, and Netsparker.

1.2.2.3 The tools used by hackers to carry out attacks

Vulnerability Scanners – These tools scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of tools include Nipper, Secunia PSI, Core Impact, Nessus v6, SAINT, and Open VAS. Eavesdropping Attack – This is when a hacker captures and “listens” to network traffic. This attack is also referred to as sniffing or snooping. Data Modification Attack – If hackers have captured enterprise traffic, they can alter the data in the packet without the knowledge of the sender or receiver. IP Address Spoofing Attack – A hacker constructs an IP packet that appears to originate from a valid address inside the corporate intranet. Password-Based Attacks – If hackers discover a valid user account, the attackers have the same rights as the real user. Hackers could use that valid account to obtain lists of other users and network information. They could also change server and network configurations, modify, reroute, or delete data. Denial-of-Service Attack – A DoS attack prevents normal use of a computer or network by valid users. After gaining access to your network, a DoS attack can crash applications or network services. A DoS attack can also flood a computer or the entire network with traffic until a shutdown occurs because of the overload. A DoS attack can also block traffic, which results in a loss of access to network resources by authorised users. Man-in-the-Middle Attack – This attack occurs when hackers have positioned themselves between a source and

destination. They can now actively monitor, capture, and control the communication transparently. Compromised-Key Attack – If a hacker obtains a secret key, that key is referred to as compromised key. A compromised key can be used to gain access to a secured communication without the sender or receiver being aware of the attack.

1.2.3 Distinguish between the three most common types of malware

Sniffer Attack – A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated (tunnelled) packets can be broken open and read unless they are encrypted, and the attacker does not have access to the key. Virus – Is a malicious code that is attached to executable files which are often legitimate programs. Most viruses require end user activation and can lay dormant for an extended period and then activate at a specific time or date. Trojan Horse – Is a malware that carries out malicious operations under the guise of a desired function. A Trojan horse comes with malicious code hidden inside of it. This malicious code exploits the privileges of the user that runs it. Often, Trojans are found attached to online games.

1.2.3.6 Three major components of a worm attack

Worms – Worms replicate themselves by independently exploiting vulnerabilities in networks. Worms usually slow down networks. Whereas a virus requires a host program to run, worms can run by themselves. Other than the initial infection, they no longer require user participation. After a host is infected, the worm is able to spread very quickly over the network. Enabling vulnerability – A worm installs itself using an exploit mechanism, such as an email attachment, an executable file, or a Trojan horse, on a vulnerable system. Propagation mechanism – After gaining

access to a device, the worm replicates itself and locates new targets. Payload – Any malicious code that results in some action is a payload. Most often this is used to create a backdoor to the infected host or create a DoS attack. Reconnaissance Attacks – Is known as 1.2.4 Common network attacks information gathering. It is analogous to a include reconnaissance attack, access attack and denial of service thief surveying a neighbourhood by going door-to-door pretending to sell something. attack. What is the main purpose What the thief is actually doing is looking for of each of the attack vulnerable homes to break into such as unoccupied residences, residences with easy-to-open doors, or windows, and those residences without security systems or security cameras. Access Attacks – Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. Social engineering is an access attack that attempts to manipulate individuals into performing action or divulging confidential information.

1.2.4.5 Understand the five common types of access attacks

Denial of Service Attacks – Are highly publicised network attacks. A DoS attack results in some sort of interruption of service to users, devices, or applications. Password attack – Hackers attempt to discover critical system passwords using various methods, such as social engineering, dictionary attacks, brute-force attacks, or network sniffing. Brute-force password attacks involve repeated attempts using tool such as Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa. Trust exploitation – A hacker uses unauthorised privilege to gain access to a system, possibly compromising the target. Port redirection – This is when a hacker uses a compromised system as a base for attacks against other targets. Man-in-the-middle attack – The hacker is

positioned in between two legitimate entities in order to read or modify the data that passes between the two parties. Buffer overflow – This is when a hacker exploits the buffer memory and overwhelms it with unexpected values. This usually renders the system inoperable, creating a DoS attack. It is estimated that one third of malicious attack are the result of buffer overflows. A DoS attack is a type of access attack. DoS attacks will be discussed in detail later.

1.2.4.8 List the three early Dos attacks

IP, MAC, DHCP Spoofing – Spoofing attacks are attacks in which one device attempts to pose as another by falsifying data. There are multiple types of spoofing attacks. For example, MAC address spoofing occurs when one computer accepts data packets based on the MAC address of another computer. Ping of Death – In this legacy attack, the attacker sent a ping of death which was an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. The receiving host would not be able to handle a packet of that size and it would crash. Smurf Attack – In this legacy attack, a hacker sent a large number of ICMP requests to various recipients. Using multiple recipients amplified the attack. In addition, the packet source address contained a spoofed IP address of an intended target. This was a type of reflection attack because the echo replies would all be reflected back to the targeted host in an attempt to overwhelm it. Smurf attacks are mitigated with the no ip directed-broadcast command, which is a default interface setting, as of Cisco IOS version 12.0. The reflection and amplification technique continue to be used in newer forms of attacks. TCP SYN Flood Attack – In this type of attack, a hacker sends many TCP SYN session request packets with a spoofed source IP address to an intended target. The target device replies with a TCP SYN-ACK

1.3.1.3 CIA

packet to the spoofed IP address and waits for a TCP ACK packet. However, the responses never arrive, and the target hosts are overwhelmed with TCP half-open connections. Cryptography ensures three components of information security: Confidentiality – Uses encryption algorithms to encrypt and hide data. Integrity – Uses hashing algorithms to ensure that data is unaltered during any operation.

Availability – Assures that data is accessible. This is guaranteed by network hardening mechanisms and backup systems. There are 12 network security domains 1.3.2.1 12 network security domains in the security framework specified by the International Organisation for specified by the ISO (International Standardisation (ISO)/International Organization for Standardization )/ Electrotechnical Commission (IEC). IEC(International Electrotechnical Described by ISO/IEC 27002, these 12 Commission) domains server to organise. Risk Assessment – This is the first step in the risk management process. It determines the quantitative and qualitative value of risk related to a specific situation or recognised threat. Security Policy – A document that addresses the constraints and behaviours of members of an organisation and often specifies how data can be accessed and what data is accessible by whom. Organisation of Information Security – This is the governance model set out by an organisation for information security. Asset Management – This is an inventory of and classification scheme for information assets. Human Resources Security – This addresses security proce...