CH-9 Virus Scanners

Question 1

What Are Virus Scanners Used For?

Answer 1

• to prevent a virus from infecting the system
• Run continuously and/or on-demand
• Search for recognizing characteristics of a known virus
• Virus Scanner and anti-spyware software work according to the same principles, and both are often integrated into a single app.

Question 2

How to Virus Scanners Work?

Answer 2

Scanners work in two ways:
– Signature matching (definitions): Scans host, network, and email for a match

• List of all known virus definitions
• Updating consists of replacing this file

– Behavior matching (heuristic):

• Attempts to write to the boot sector
• Changing system files
• Automated email sending
• Self-multiplying

Question 3

Enumerate Virus Scanning Techniques

Answer 3

• E-mail and attachment scanning
• Download scanning
• File scanning
• Heuristic scanning
• Sandboxing
• Machine learning

Question 4

What is a Firewall and what does it do?

Answer 4

A barrier between your network and the outside world.

It Filters packets based on
– Size
– Source IP
– Protocol
– Destination port

■ Need dedicated firewall between trusted network and untrusted network
■ Firewalls can be hardware or software (and both can be used together)
■ Types include Packet Filter, Stateful Packet Inspection, and Application

Question 5

What is a Firewall Stateful Packet Inspection?

Answer 5

Stateful inspection (also known as the dynamic packet filtering)

• Monitors the active connections on a network.
• Determines which network packets should be allowed through based on information regarding active connections.

Stateful inspection keeps track of each connection and constantly checks if they are valid.

Question 6

What is Application Firewall?

Answer 6

• An enhanced firewall that limits access at the application level
• Controls the execution of files or the handling of data by specific applications
• By being aware of specific applications, it can watch for known malicious traffic

Ex: Oracle Web Application Firewall (WAF): protecting web-facing applications from DDoS attacks. Utilize F5 Networks to decrypt and inspect traffic before it enters the network.

Question 7

What is a Host-Based Firewall Configuration?

Answer 7

– Software solution installed on an existing operating system
– Weakness: It relies on the OS
– Must harden the existing operating system

Question 8

What is a Dual-homed host Firewall Configuration?

Answer 8

– Installed on a server with at least two network interfaces
– Systems inside and outside the firewall can communicate with the dual-homed
host, not with each other
– Dual homed hosts are great targets for attack since they can bridge networks

Question 9

What is Router-based Firewall Configuration used for?

Answer 9

• Small Office/ Home Office (SOHO)
• SPI for mid-large enterprise devices

Question 10

What is SPI?

Answer 10

Serial Peripheral Interface: interface bus commonly used to send data between microcontrollers and small peripherals such as shift registers, sensors, and SD cards. It uses separate clock and data lines, along with a select line to choose the device you wish to talk to.

Question 11

Describe Firewall as a Service

Answer 11

– Emerging cloud-based firewalls
– Protects 3 rd party cloud services and infrastructure
– All traffic to and from your cloud services must pass through the FWaaS
– Addresses the challenges that cloud services create for a secure perimeter

Question 12

What is a good source for IT Solutions landscape?

Answer 12

Gartner Magic Quadrant

Question 13

What is Firewall Logs?

Answer 13

• All firewalls log activity
• Logs can provide valuable information
• Can locate the source of an attack
• Can prevent a future attack
• Can be manually reviewed or analyzed in real-time by SIEMs

Question 14

What is SIEM?

Answer 14

Security information and event management

SIEM tools are an important part of the data security ecosystem: they aggregate data from multiple systems and analyze that data to catch abnormal behavior or potential cyberattacks.

SIEM tools provide a central place to collect events and alerts – but can be expensive, resource-intensive, and customers report that it is often difficult to resolve problems with SIEM data.

Question 15

What is Demilitarized Zone (DMZ) in Data Security?

Answer 15

• Adds an additional layer of security to an organization’s local area network (LAN)
• Segregates computers on each side of a firewall
• Exposes an organization’s external-facing services to an untrusted network
  
  • Usually, a larger network such as the Internet
• If a server in a DMZ is hacked, the hacker does not have access to the internal network

Question 16

What Firewalls Can and Cannot Do?

Answer 16

• can protect an environment only if they control the entire perimeter
• do not protect data outside the perimeter
• offer no control over content (or malware) once it is admitted to the inside
• are the most visible part of a network to the outside, so they are an attractive target for attack
• must be correctly configured; that configuration must be updated as the environment changes

Question 17

What is Network Address Translation (NAT)?

Answer 17

A method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.

Essential tool in conserving global IPv4 address space
– Allows one Internet routable IP address to be shared by many computers

Protects against outsiders gaining internal IP information
– They only see the one shared public IP address

Question 18

Data Loss Prevention (DLP)?

Answer 18

DLP is a set of technologies that can detect and possibly prevent attempts to send
sensitive data where it is not allowed.

Indicators DLP looks for:
– Keywords or patterns, e.g. numbers in the format XXX XX XXXX
– Traffic Patterns, e.g. bulk file transfers or data sent to China/Russia
– Unauthorized encoding/encryption

Question 19

What do Intrusion Detection Systems (IDS) do?

Answer 19

Intrusion detection systems (IDS)

• Inspects all inbound and outbound internet traffic
• Scans for patterns that might indicate an attempted break-in

Question 20

Describe IDS Categorization

Answer 20

• Misuse detection versus anomaly detection
• Passive systems versus active (aka intrusion prevention) systems
• Network-based systems versus host-based systems

Question 21

Differences: IDS vs SIEM

Answer 21

• An IDS focuses on incoming and outgoing Internet traffic
• A SIEM correlates info from many sources, e.g. IDS data and system logs

Question 22

Describe IDS Preemptive Blocking

Answer 22

• Called banishment vigilance
• Seeks to prevent intrusions before they occur
• Notes any sign of impending threats and blocks the user or IP
• Risk of blocking legitimate users

Question 23

Describe IDS Intrusion Deflection

Answer 23

• Also called a “honeypot”
• Set up an alluring but fake system ( e.g. unpatched server named Finance1)
• Lure the attacker into the system and monitor attacker’s activity
• Similar to a sting operation in law enforcement

Question 24

Describe IDS Intrusion Deterrence

Answer 24

• Attempt to make the system a less interesting target
  
  • Less attractive: hide the valuable assets
  • Extra secure: e.g. warnings of advanced monitoring
• Make potential reward seem difficult to attain (low ROI)

Question 25

What are Authentication Protocols Used For?

Answer 25

• Authentication protocols are used to verify a user’s identity
• After verifying identity, a user is granted access to authorized resources

Kerberos used widely, particularly with Microsoft operating systems

• Authentication Server validates username and password sent by user and gives the user the ability to request tickets from the Ticket Granting Service
• TGS gives user ability to request access to specific resources
• A service ticket required for each resource a user wishes to access

Question 26

What is Identity and Access Management (IAM)?

Answer 26

Policies and technologies that facilitate the management of electronic or digital identities.

Systems used for IAM include:

• single sign-on systems
• two-factor authentication
• multifactor authentication
• privileged access management
• Objective is to ensure there is one digital identity per individual or item
• Manages access across multiple on-prem and cloud systems and applications

Question 27

What Does Multi-factor Authentication Include?

Answer 27

■ Something you know
■ Something you have
■ Something you are

Question 28

Describe Types of Biometrics

Answer 28

■ Fingerprints
■ Retina
■ Voice
■ Handwriting
■ Face Recognition

Question 29

Describe the Traditional Problems With Biometrics

Answer 29

• Intrusive
• Expensive
• Single point of failure
• Sampling error
• False readings
• Speed

Question 30

What Does a Virtual Private Network (VPN) Do?

Answer 30

■ Extends a private network across an untrusted public network
■ Data packets are encapsulated and encrypted
■ Users and systems can communicate over VPN as if they were co-located
■ Protocols include PPTP, L2TP, IPSec, and SSL/TLS

Question 31

Describe VPN Protocols:

PPTP, L2TP, IPSec, and SSL/TLS

Answer 31

PPTP (Point-to-Point Tunneling Protocol): PPTP is a staple of VPN connections.

• Old and insecure… honestly, just avoid it

L2TP (Layer 2 Tunneling Protocol): it only provides tunneling – bundling up data for private transportation over public networks. Naturally, tunneling wouldn’t be worth much if the data wasn’t encrypted. That’s why L2TP is used together with IPsec.

• Do NOT recommend setting up an L2TP VPN connection due to its inferiority to other VPN protocols available at this time.

SSL (Secure Sockets Layer):

• Secure, with less overhead than L2TP/ IPSec
• By using same ports as HTTPS, it’s generally not blocked by firewalls

TLS (Transport Layer Security): an updated form of SSL, a successor if you will.

Question 32

Describe WiFi Wired Equivalent Privacy (WEP) Protocol

Answer 32

• WEP can be hacked within a couple of minutes of listening to WiFi traffic
• Uses 128bit encryption key (technically 104-key with 24-bit “Initializaion Vector”)
• no longer used

Question 33

Describe WiFi Protected Access Protocol ( WPA1/2)

Answer 33

WPA1 uses Temporal Key Integrity Protocol (TKIP)

• TKIP is an upgrade to WEP that supports a 128 bit per packet key
• It addresses the WEP vulnerability by generating a new key for each packet
• The TKIP algorithm has multiple known vulnerabilities

WPA2 uses Advanced Encryption Standard (AES)

• AES is not related to WEP/TKIP and supports keys up to 256 bits
• Primary encryption for the US Federal government and NASA
• AES itself does not have any known vulnerabilities

Question 34

WiFi Vulnerabilities in WPA1 & WPA2

Answer 34

■ WPA passphrase hashes are seeded from the SSID name and its length

• Rainbow tables exist for top 1,000 network SSIDs and common passwords

■ Once key is hacked, attackers can decrypt all packets, past, present, and future

• Devices with the key can freely attack other connected devices

■ Packets can be injected into client sessions and used for port scanning, etc
■ KRACK repeatedly resets IV (initialization vector), matching packets and eventually determining the key

Question 35

What is SSID?

Answer 35

SSID is simply the technical term for a Wi-Fi network name. When you set up a wireless home network, you give it a name to distinguish it from other networks in your neighborhood. You’ll see this name when you connect your devices to your wireless network

Question 36

What is initialization vector in WiFi?

Answer 36

An initialization vector is a random number used in combination with a secret key as a means to encrypt data. This number is sometimes referred to as a nonce, or “number occurring once,” as an encryption program uses it only once per session.

Question 37

What is WPA3?

Answer 37

WPA3, also known as Wi-Fi Protected Access 3, is the third iteration of a security certification program developed by the Wi-Fi Alliance.

WPA3 is the latest, updated implementation of WPA2, which has been in use since 2004.

Question 38

How to Secure Securing Wireless Devices?

Answer 38

• Ensure access points are up to date with patches
• Ensure WPA3 is used, if available
• Verify that rogue access points are not present
• Ensure policies are in place and users are trained
• Can be incorporated into Acceptable Use policy
• As an extra precaution, be sure to only send private data over HTTPS/SSL connections