Chapter 10 Flashcards
1
Q
Two ways to protect malware (and their advantages and disadvantages):
A
1) signature-based
Advantage: Accuracy is really high.
Disadvantage: You will miss new attacks, they can easily pass checking.
2) anomaly-based
compares against baseline traffic on network
Advantage: Accomodates new types of attacks
Disadvantage: “operation i usually see is different”
May generate false positive
2
Q
Where to focus for Network Security (4 points)?
A
- Protecting networks
- Protecting network traffic
- Mobile device security
- Network security tools
3
Q
A well-configured and patched network is the _______ of any security program
A
foundation
4
Q
What is Network segmentation?
A
• Divide a network into multiple smaller independent networks, called a subnet
5
Q
How can we control the flow of traffic between subnets?
A
o Allowing or disallowing traffic
o Blocking the traffic entirely
6
Q
We can control traffic flow within the subnet for _______ purposes
A
troubleshooting
7
Q
True or False: Traffic monitoring is easier in subnets
A
True
8
Q
Why do we funnel Network Traffic through choke points?
A
to inspect, filter, and control the traffic
9
Q
What are Choke points?
A
o Routers that move traffic from one subnet to another
o Firewalls or proxies that control traffic moving within, into, or out of our networks or portions of our networks
o Application proxies that filter the traffic for particular applications such as Web or e-mail traffic
10
Q
Choke points come with some risk because if they ____ the network is _______
A
fail
compromised
“Choke points come with some risk because if they fail the network is compromised”
11
Q
Redundancy helps to…
A
mitigate risk to our networks
12
Q
Technical issues or attacks may impact network _______ devices; hence, network operations.
A
infrastructure
13
Q
Good network design considers planned ________ for devices failing, connectivity loss etc.
A
redundancy
14
Q
Give an example of planning for redundancy:
A
In the even of a DDoS attack to a border device:
oRedundancy will allow us switch to a different connection to the Internet, or toute traffic through a different device until we solve current issue
15
Q
What is a firewall?
A
A mechanism for maintaining control over the traffic that flows into and out of our network
16
Q
Where should we place firewalls, typically?
A
- Typically on the border between our internal network and the Internet
- Can also be placed within our network for access control
17
Q
What should we filter with firewalls?
A
Based on a variety of factors and largely depends on the complexity of the firewall
• Example: we may allow Web and e-mail traffic to pass, but block everything else
18
Q
What is Packet Filtering?
A
- Inspecting contents of each packet individually to make a decision
- Based on the source and destination IP addresses, the port number, and the protocol being used
19
Q
_____ _______ is one of the oldest and simplest of firewall technologies
A
Packet Filtering
20
Q
Which firewall has the disadvantage that “it is possible to slip attacks through this type of firewall as packets are inspected individually”
A
Packet Filtering
21
Q
What is the function of a Stateful Firewall?
A
Same working principle as in packet filtering, but a Stateful Firewall keeps track of the traffic at a granular level
22
Q
A stateful firewall is able to watch the traffic over a ____ _______.
A
given connection
23
Q
The connection state, as monitored by a stateful firewall, is maintained in a ____ ____.
A
state table
24
Q
A given connection is defined by:
A
the source and destination IP addresses, the ports being used, and the already existing network traffic
25
True or False? A stateful firewall allows traffic that is part of a new or already established connection.
True
26
Difference between stateful firewall and packet inspection?
Stateful firewall assesses an entire connection while packet inspection is about inspecting individual packets
Best security policy is to put these two together
27
Most stateful firewalls can also function as a _____ ______ firewall, often combining the two forms of filtering.
packet filtering
28
A stateful firewall that also has a packet filtering component can do the following (2 objectives):
* Can identify and track the traffic related to a particular user initiated connection to a Web site
* Knows when the connection has been closed and further traffic should not legitimately be present
29
Example of a scanning tool?
Nmap
30
True or False: Packet filtering and stateful firewalls only inspect the structure of packets without inspecting the content.
True
31
______ adds extra layer of intelligence to firewalls through packet-content inspection.
Deep Packet Inspection
32
Deep Packet Inspection can block a large number of attacks at the price of ____.
delay
33
Deep Packet Inspection introduces ______ issue as content of our packets are inspected.
privacy
34
Proxy servers are...
A specialized variant of a firewall that can serve as a choke point
35
Proxy servers offer these functionalities (2):
* Offer security and performance by filtering unwanted traffic
* Allow us to log the traffic that goes through them for later inspection
36
What are some applications of proxy servers (3)?
Applications:
| •Spam, Web traffic, and malware filtering
37
True of False: Nmap is a very useful tool for both OS and network
True
38
What is a Demilitarized Zone (DMZ) as it pertains to network security?
A combination of a network design feature and a protective device such as a firewall
39
What are DMZs used for?
Used to offer security for mail servers, proxy servers, software as a service application, and Web servers
40
Draw a diagram of a DMZ
https://i.imgur.com/oiFFYDN.png
41
What does IDS stand for in network security?
Intrusion Detection Systems
42
What is penetration testing?
Actively trying to break the system and analyze its level of security that way
43
What does an Intrusion Detection System do?
monitors networks, hosts, or applications to which it is connected for unauthorized activity
44
What are 3 types of IDS?
* Host-based intrusion detection systems (HIDSes)
* Application protocol-based intrusion detection systems (APIDSes)
* Network-based intrusion detection systems (NIDSes)
45
What does NIDSes stand for?
Network-based intrusion detection systems
46
What does APIDSes stand for?
Application protocol-based intrusion detection systems
47
What does HIDSes stand for?
Host-based intrusion detection systems
48
Placement of ______ important to efficiently monitor ongoing network traffic without overwhelming the _____.
NIDSes
Placement of NIDSes important to efficiently monitor ongoing network traffic without overwhelming the NIDSes.
49
Draw a diagram of an IDS:
https://i.imgur.com/ureBoKc.png
50
NIDSes may miss _____ _____ _____.
packet crafting attacks
51
What are packet crafting attacks?
* specifically designed packets of traffic that carry attacks or malicious code
* designed to avoid detection by IDSes, firewalls, and other similar devices
52
Common defense in-depth security program combine _____ and _____.
firewalls and IDSs
53
What is the difference between Signature-based detection and Anomaly-based detection in an IDS? (diagram)
https://i.imgur.com/gIHZNre.png
54
True of false: Signature-based detection does not work similar to most antivirus systems.
False: Signature-based detection does works similar to most antivirus systems.
55
Signature-based detection maintains a database of _____ that signal a particular type of attack
It compares incoming traffic to those signatures.
signatures
56
Signature-based detection is usually precise if the signature _______ is up-to-date
database
57
True of False: Attackers may test crafted packets on the same IDS tools that we use to avoid our security measures
True
58
Anomaly-based detection uses a ______ of normal traffic and activity on the network
baseline
59
________-based detection measures the present state of traffic against this baseline
Anomaly
60
True or False: Anomaly-based detection is useful to detect new attacks or attacks that have been deliberately assembled to avoid IDSes.
True
61
What is a disadvantage of anomaly-based detection?
It has a high rate of false positives compared to the signature-based IDSes (if the traffic on the network changes from the baseline, anomaly-based detection may consider that as an attack)
62
True or False: we can combine both detection anomaly-based and signature-based methods.
True
63
When data travel across networks it can be exposed to _____ people. (If we use applications or protocols that do not encrypt what they are sending over the network)
unwanted
64
A ______ network is more prone to attack.
Wireless
An open wireless network for public access does not offer any encryption.
65
How can we ensure protection over wireless networks?
Deploy VPNs
66
Virtual private networks allow us to...
send sensitive traffic over unsecure networks
67
True or False: VPNs can create a secure connection to the private network of an organization
True
68
Draw a diagram of a VPN:
https://i.imgur.com/RpH3CpA.png
69
A VPN connection is called a ______.
tunnel (An encrypted connection between two end points)
70
In one end of the connection there is a VPN _____ application and the other end hosts a VPN ______.
client
concentrator
In one end of the connection there is a VPN client application and the other end hosts a VPN concentrator.
71
The client uses a software to authenticate to the VPN ______.
concentrator
72
What are the advantages of VPN?
* Allow us access the internal resources of our organization
* Protect traffic that is sent over untrusted connections
* Allowing us to protect the contents of traffic
o from logging by our ISPs or being sniffed by others on the same network, to obscure our geographical location and bypass location oriented blocking
•Useful in peer-to-peer (P2P) file-sharing services
o VPNs can allow both the traffic and the actual IP addresses to remain hidden
73
What is a Rogue access point (RAP)?
placing an access point on our wireless network without authorization
74
True or False: If a RAP is set up with poor or no security, it will allow anyone within range of the access point access our network.
True
75
How can we Avoid Rogue access points (RAPs)?
Carefully document the legitimate devices that are part of our wireless network infrastructure and regularly scan for additional devices using wireless scanning tool
76
How can we protect traffic passing through the legitimate devices in our network?
Data encryption
77
The most common encryption for 802.11 devices
| are (3):
o Wired Equivalent Privacy (WEP)
o Wi-Fi Protected Access (WPA), and
o Wi-Fi Protected Access version 2 (WPA2)
78
____ is the most current encryption and offers the strongest inherent security.
WPA2
79
File Transfer Protocol (FTP) is for ______ ____.
transferring file
80
_____ is for interacting with remote machines.
Telnet
81
Post Office Protocol (POP) for _____ ___.
retrieving e-mail
82
True or False: We must use Secure Shell (SSH) instead of Telnet.
True
83
We must use _______________ instead of FTP, which is also SSH based.
Secure File Transfer Protocol (SFTP)
84
SSH supports many types of traffic over it such as (3 items):
o It can be used for file transfers and terminal access
o when connecting to a remote desktop
o communicating over a VPN
85
The encryption used by SSH is ____, a public key encryption algorithm
RSA
86
What is RSA?
a public key encryption algorithm
87
What is a mobile device?
Any device that can access external systems or be acceded while not behind the organizations’ security infrastructure
o Smartphones, tablets, smartwatches, USB, laptops, etc
88
What are Applications of a mobile device?
Send and receive e-mail, surf the web, manipulate documents, play videos, listen to music, play games, etc.
89
What are some characteristics of a mobile device?
o Powerful hardware resources and capabilities
o Connected to a network of some variety at all times
o They move in and out of environments with regularity
o Store and transmit data without notice
o May or may not be compliant with basic security measures
90
What do we want to manage for mobile devices?
oPatching and software upgrades
oForce changing of passwords at some interval
oRegulate and track installed software
oAdjust settings to a standard dictated by our policies
91
An MDM solution mostly utilize an agent on the mobile device to enforce a certain configuration. These agents...
o Regulate access to enterprise resources, such as e-mail, calendaring, or network resources
o Can discontinue access by the client
92
Many MDM solutions enable the device to be remotely ____ or disabled.
wiped
93
In order to reduce load on administrative resources and enable a greater uniformity across devices...
we can try to manage both mobile and nonmobile devices using the same tools and techniques
94
BYOD (Bring Your Own Device)
An organization’s strategy and policies regarding the use of personal versus corporate devices either:
oAllow only corporate-owned devices to interact with enterprise resources
oAllow only personal devices
oAny combination in between
95
Allow only Corporate-owned Devices
Enables more uniform and secure base of mobile devices for the organization to manage
Management and policies:
o We may disallow the use of personal e-mail and file-sharing applications
o Disable the capability of installing new applications that are not business related
o We can also force users to install updates and security patches, and change their password regularly
96
Disadvantages of Allowing only Personal Devices:
•not easy to deploy a uniform and secure MDM
We can have a minimal control over personal devices
o For example, connecting them to a centralized mail server, such as Microsoft Exchange
•Good choice for a very small organization with minimal resources to administer a complex mobile infrastructure
97
To enable a balance between cost and risk management
Allow Personal and Corporate-owned Devices
98
We deploy penetration testing in a regular basis to...
o To catch up with the environmental changes
| o To accommodate new attacks
99
We can test security tools using a Security Live CD distributions that come with all of the tools preconfigured
Give an example.
For example: Kali
100
To detect unauthorized devices like Rogue APs, some software we can use are (3 examples):
Kismet:
oRuns on Linux and can be found on the Kali distribution
oCommonly used to detect wireless APs
•NetStumbler:
oSimilar to Kismet; runs on Windows
•coWPAttyand Aircrack-NG
o To break through the different varieties of encryption
o Cracking WEP, WPA, and WPA2
101
What are port scanners?
tools for discovering the networks and systems that are in our environment
102
Two main categories of scanners:
o port scanners
| o vulnerability scanners
103
What is Network mapper (Nmap)?
o a port scanner
o can also search for hosts on a network
o Identify the operating systems those hosts are running
o detect the versions of the services running on open ports
104
What are packet sniffers?
Tools that sniff network traffic
105
What is Tcpdump?
o A command-line tool that allows us to monitor the activities of the network to which we are attached
o Can filter traffic
o Usually runs only on UNIX-like operating systems
o A version has been ported to Windows, called WinDum
106
What is Wireshark?
o Capable of intercepting traffic from a wide variety of wired and wireless sources
o It includes a large number of filtering, sorting, and analysis tools
o Can also import data from other applications like Tcpdump
o Agreat tool for troubleshooting traffic on the networ
107
_____ is a specialized wireless networks sniffer
Kismet
108
_______ ______ ______ from Fluke Networks is a hardware packet sniffer
OptiViewPortable Network Analyzer
| usually very expensive and well beyond the budget of the average network or security professional
109
What is a honeypot?
A honeypot can detect, monitor, and sometimes tamper with the activities of an attacker
110
Honeypots are configured to deliberately display ______ to attract an attacker
vulnerabilities
111
Examples of honeypots (3):
o An intentionally vulnerable service
o An outdated and unpatched operating system
o A network share named “top secret UFO documents”
112
We deploy honeypots to...
o To provide an early warning system for a corporation
o As a method of researching what methods attackers are using
o As an intentional target to monitor the activities of malware in the wild
113
______ are collections of honeypots with varying configurations and vulnerabilities
Honeynets
114
Honeynets generally come with some centralized instrumentation for ______ all the honeypots on the network
monitoring
115
True or False: Honeynets can be particularly useful for large-scale monitoring of malware activity
True
116
The firewall tool Hping3 can:
• Can construct specially crafted Internet Control Message Protocol (ICMP) packets for firewall testing
• We can also script the activities of Hping3 to test the responses of firewalls and IDSes
o To get an idea of the rules on which they are operating
• It can perform port scanning
117
Network-focused business (eBay and Amazon) must...
o Must have rigid security measures in place
| o Must continuously evaluate them in order to find weaknesses
118
Secure network design involves:
- Segmentation, Choke points, and Redundancy
| - Implement security devices such as firewalls and IDSes to protect us both inside and outside our networks
119
We protect our traffic by...
o We use VPNs to secure our connections over untrusted networks
o We can use security measures specific to wireless networks
o We can make use of secure protocols as a general security measure
120
We use security tools:
o Kismet or NetStumbler in wireless networks
o Wiresharkor Tcpdumpto network trafficoNmapto scan network devices
o hping3 to test firewalls
121
We place honeypots:
o To attract and study attackers and their tools and to alert us to their presence
122
The _____ of an IDS is import for efficient network monitoring
a. Features
b. Processing power
c. Placement
d. Memory
c.Placement
123
An unauthorized Access Point in a wireless network is called a:
a. Sniffer
b. Rogue
c. Booster
d. None of the above
b.Rogue
124
The most common protocol for wireless devices is
a. 802.16
b. 802.15
c. 802.11
d. 802.20
c.802.11
125
Secure Shell (SSH) uses ______ encryption algorithm
a. DES
b. DES3
c. RSA
d. RSA3
c.RSA
126
Nmap stands for
a. Nice map
b. Niche map
c. Network map
d. Network mapper
d.Network mapper
127
What are the drawbacks of Network-based Intrusion Detection Systems?
Answer: NIDSes may miss to detect packet crafting attacks. They may suffer from false positive. They may not process encrypted packets.
128
Compare and contrast signature-based and anomaly-based IDS detection methods?
Answer: Signature-based IDSes maintain a database of the signatures that might signal a particular type of attack and compare incoming traffic to those signatures. The problem is in case of a new type of attack it may fail to detect that attack. Anomaly-based IDSes typically work by taking a baseline of the normal traffic and activity taking place on the network. They can measure the present state of traffic on the network against
this baseline to detect attack. They are better to detect new attacks.
129
What are the advantages of using VPNs?
Answer: VPNs offer a secure connection between two end points over an untrusted network. Also, they protect the content of traffic. VPNs are useful in peer-to-peer file sharing/
