Chapter 12 - Secure Communications and Network Attacks Flashcards
At which OSI model layer does the IPSec protocol function?
Network
When you are designing a security system for Internet-delivered email, which one is the least important
Availability
What need to be discussed with end users in regard to email retention policies?
If email is to be retained, users need to be informed. (Backup and stored in archives for future use). If email is to be reviewed for violations by an auditor, users need to be informed as well. End users may not need to know the specifics of email management, but they need to know whether email is considered private communication.
Why is spam so difficult to stop?
Because the source of the message is usually spoofed.
In addition to maintaining an updated system and controlling physical access, which one is the most effective countermeasure against PBX fraud and abuse?
Changing default passwords
Differences between link encryption and end to end encryption
Link encryption, which is sometimes called online encryption, is usually provided by service providers and is incorporated into network protocols. All of the information is encrypted, including headers and trailers, and the packets must be decrypted at each hop so the router, or other intermediate device, knows where to send the packet next. The router must decrypt the header portion of the packet, read the routing and address information within the header, and then re-encrypt it and send it on its way.
With end-to-end encryption, the packets do not need to be decrypted and then encrypted again at each hop, because the headers and trailers are not encrypted. The devices in between the origin and destination just read the necessary routing information and pass the packets on their way.
End-to-end encryption is usually initiated by the user of the originating computer. It provides more flexibility for the user to be able to determine whether or not certain messages will get encrypted. It is called “end-to-end encryption” because the message stays encrypted from one end of its journey to the other. Link encryption has to decrypt the packets at every device between the two ends.
Link encryption occurs at the data link and physical layers. Hardware encryption devices interface with the physical layer and encrypt all data that pass through them. Because no part of the data is available to an attacker, the attacker cannot learn basic information about how data flows through the environment. This is referred to as traffic-flow security.
Definition of enumeration
Enumeration is the process of finding netBIOS user names, computer names, workgroup names and domain names.
Other types of enumeration can include SNMP, SMTP, NTP, LDAP, Unix/Linux and DNS enumeration.
Basically, enumeration is the process of gathering as much information as possible by capturing all information freely given out by systems or captured off unencrypted network traffic.
ARP cache poisoning/ARP spoofing
ARP spoofing, also known as ARP cache poisoning or ARP poison routing (APR), is a technique used to attack a local-area network (LAN). ARP spoofing may allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic altogether. The attack can only be used on networks that make use of the Address Resolution Protocol (ARP) and not another method of address resolution.
The principle of ARP spoofing is to send fake, or spoofed, ARP messages onto a LAN. Generally, the aim is to associate the attacker’s MAC address with the IP address of another host (such as the default gateway).
Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (interception) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim’s default gateway.
ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker’s machine that is connected directly to the target LAN.
Legitimate usage
ARP spoofing can also be used for legitimate purposes. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network. This technique is used in hotels and other semi-public networks to allow traveling laptop users to access the Internet through a device known as a head end processor (HEP).
ARP spoofing can also be used to implement redundancy of network services. A backup server may use ARP spoofing to take over for a defective server and transparently offer redundancy.
Smurf Attack
Smurf attack is a type of DOS attack also but involves sending a flood of ICMP packets with spoofed source IP Address sent to broadcast addresses causing a storm of traffic when systems respond.
Teardrop Attack
The Teardrop attacks involve sending IP Fragments which have overlapping fragment offset numbers so that when the victim’s computer tries to reassemble the IP frags into the intended file the target crashes. It doesn’t know how to handle the improperly-numbered fragments.
Firewalking
Firewalking is a term used to describe how internal networks can be mapped from outside a firewall protected network by sending crafted ICMP packets with their TTL - Time To Live decremented to the number of hops to the external interface of the external firewall.
The goal is to elicit ICMP Time Exceeded. (Type 11 - Code 0. Technically it’s TTL Exceeded.)
Basically, the attacker would traceroute to the border firewall to determine the number of hops (Hop count) to the external interface of the target network. Then he would send ICMP packets with their TTL decremented to that number plus one or more and gather the ICMP time-exceeded packets to map out the internal network.
For you exam you should know the information below about the IPSec protocol:
The IP network layer packet security protocol establishes VPNs via transport and tunnel mode encryption methods.
For the transport method, the data portion of each packet is encrypted, encryption within IPSEC is referred to as the encapsulation security payload (ESP), it is ESP that provides confidentiality over the process.
In the tunnel mode, the ESP payload and its header’s are encrypted. To achieve non-repudiation, an additional authentication header (AH) is applied.
In establishing IPSec sessions in either mode, Security Associations (SAs) are established. SAs defines which security parameters should be applied between communicating parties as encryption algorithms, key initialization vector, life span of keys, etc. Within either ESP or AH header, respectively. An SAs is established when a 32 bit security parameter index (SPI) field is defined within the sending host. The SPI is unique identifier that enables the sending host to reference the security parameter to apply, as specified, on the receiving host.
IPSec can be made more secure by using asymmetric encryption through the use of Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows automated key management, use of public keys, negotiation, establishment, modification and deletion of SAs and attributes. For authentication, the sender uses digital certificates. The connection is made secure by supporting the generation, authentication, distribution of the SAs and the cryptographic keys.
Which of the following PBX feature supports shared extensions among several devices, ensuring that only one device at a time can use an extension?
Privacy release supports shared extensions among several devices, ensuring that only one device at a time can use an extension.
In a SSL session between a client and a server, who is responsible for generating the master secret that will be used as a seed to generate the symmetric keys that will be used during the session?
Once the merchant server has been authenticated by the browser client, the browser generates a master secret that is to be shared only between the server and client. This secret serves as a seed to generate the session (private) keys. The master secret is then encrypted with the merchant’s public key and sent to the server. The fact that the master secret is generated by the client’s browser provides the client assurance that the server is not reusing keys that would have been used in a previous session with another client.
Blue boxing
Hackers using an automated tone simulator that telephone switches perceived to be authorized for long distance charges.
