COURSE 3 - Connect and Protect: Networks and Network Security Flashcards by Nahman L

A _______ is a network device that broadcasts information to every device on the network. Think of a hub like a radio tower that broadcasts a signal to any radio tuned to the correct frequency.

hub

How well did you know this?

Not at all

Perfectly

A _________ makes connections between specific devices on a network by sending and receiving data between them. A _________ is more intelligent than a hub. It only passes data to the intended destination. This makes _________es more secure than hubs, and enables them to control the flow of traffic and improve network performance.

switch

How well did you know this?

Not at all

Perfectly

A ___________ is a network device that connects multiple networks together.

For example, if a computer in one network wants to send information to a tablet on another network, then the information will be transferred as follows: First, the information travels from the computer to the _________. Then, the _________ reads the destination address, and forwards the data to the intended network’s _________. Finally, the receiving router directs that information to the tablet.

router

How well did you know this?

Not at all

Perfectly

A ____________ is a device that connects your router to the internet, and brings internet access to the LAN.

For example, if a computer from one network wants to send information to a device on a network in a different geographic location, it would be transferred as follows: The computer would send information to the router, and the router would then transfer the information through the ___________ to the internet. The intended recipient’s ___________ receives the information, and transfers it to the router. Finally, the recipient’s router forwards that information to the destination device.

modem

How well did you know this?

Not at all

Perfectly

A _____________ is a basic unit of information that travels from one device to another within a network.

data packet

How well did you know this?

Not at all

Perfectly

____________ refers to the amount of data a device receives every second. You can calculate __________ by dividing the quantity of data by the time in seconds. Speed refers to the rate at which data packets are received or downloaded. Security personnel are interested in network bandwidth and speed because if either are irregular, it could be an indication of an attack. Packet sniffing is the practice of capturing and inspecting data packets across the network.

Bandwidth

How well did you know this?

Not at all

Perfectly

What is in the header of a data packet?

A data packet is very similar to a physical letter. It contains a header that includes the internet protocol address, the IP address, and the media access control, or MAC, address of the destination device. It also includes a protocol number that tells the receiving device what to do with the information in the packet.

How well did you know this?

Not at all

Perfectly

TCP/IP stands for Transmission Control Protocol and Internet Protocol.

TCP/IP is the standard model used for network communication.

How well did you know this?

Not at all

Perfectly

______, or ______________, is an internet communication protocol that allows two devices to form a connection and stream data. The protocol includes a set of instructions to organize data, so it can be sent across a network. It also establishes a connection between two devices and makes sure that packets reach their appropriate destination.

TCP - Transmission Control Protocol

How well did you know this?

Not at all

Perfectly

__ stands for __________. has a set of standards used for routing and addressing data packets as they travel between devices on a network. Included in the _____________ is the IP address that functions as an address for each private network. You’ll learn more about IP addresses a bit later.

IP Internet Protocol

How well did you know this?

Not at all

Perfectly

Within the operating system of a network device, a _____ is a software-based location that organizes the sending and receiving of data between devices on a network. ______(s) divide network traffic into segments based on the service they will perform between two devices. The computers sending and receiving these data segments know how to prioritize and process these segments based on their _____ number.

Port

How well did you know this?

Not at all

Perfectly

Some common port numbers are:

port 25, which is used for e-mail

port 443, which is used for secure internet communication

port 20, for large file transfers

How well did you know this?

Not at all

Perfectly

The TCP/IP model is a framework that is used to visualize how data is organized and transmitted across the network. The TCP/IP model has four layers. The four layers are:

the network access layer
The network access layer deals with creation of data packets and their transmission across a network. This includes hardware devices connected to physical cables and switches that direct data to its destination.

the internet layer
The internet layer is where IP addresses are attached to data packets to indicate the location of the sender and receiver. The internet layer also focuses on how networks connect to each other. For example, data packets containing information that determine whether they will stay on the LAN or will be sent to a remote network, like the internet.

the transport layer
The transport layer includes protocols to control the flow of traffic across a network. These protocols permit or deny communication with other devices and include information about the status of the connection. Activities of this layer include error control, which ensures data is flowing smoothly across the network.

the application layer.
Finally, at the application layer, protocols determine how the data packets will interact with receiving devices. Functions that are organized at application layer include file transfers and email services.

How well did you know this?

Not at all

Perfectly

_______________. The ________ shares error information and status updates of data packets. This is useful for detecting and troubleshooting network errors. The ______ reports information about packets that were dropped or that disappeared in transit, issues with network connectivity, and packets redirected to other routers.

Internet Control Message Protocol (ICMP)

How well did you know this?

Not at all

Perfectly

The _____________ is responsible for delivering data between two systems or networks and includes protocols to control the flow of traffic across a network. TCP and UDP are the two transport protocols that occur at this layer.

transport layer

How well did you know this?

Not at all

Perfectly

The __________________ is an internet communication protocol that allows two devices to form a connection and stream data. It ensures that data is reliably transmitted to the destination service. ______ contains the port number of the intended destination service, which resides in the TCP header of a TCP/IP packet.

Transmission Control Protocol (TCP)

How well did you know this?

Not at all

Perfectly

The _________________ is a connectionless protocol that does not establish a connection between devices before transmissions. It is used by applications that are not concerned with the reliability of the transmission. Data sent over UDP is not tracked as extensively as data sent using TCP. Because UDP does not establish network connections, it is used mostly for performance sensitive applications that operate in real time, such as video streaming.

User Datagram Protocol (UDP)

How well did you know this?

Not at all

Perfectly

The __________ in the TCP/IP model is similar to the application, presentation, and session layers of the OSI model. The ___________ is responsible for making network requests or responding to requests. This layer defines which internet services and applications any user can access. Protocols in the application layer determine how the data packets will interact with receiving devices. Some common protocols used on this layer are:

Hypertext transfer protocol (HTTP)

Simple mail transfer protocol (SMTP)

Secure shell (SSH)

File transfer protocol (FTP)

Domain name system (DNS)

Application layer protocols rely on underlying layers to transfer the data across the network.

application layer

How well did you know this?

Not at all

Perfectly

An ______________, or _________ is a unique string of characters that identifies a location of a device on the internet. Each device on the internet has a unique ___________, just like every house on a street has its own mailing address.

internet protocol address IP address

How well did you know this?

Not at all

Perfectly

A __________ is a unique alphanumeric identifier that is assigned to each physical device on a network. When a switch receives a data packet, it reads the MAC address of the destination device and maps it to a port. It then keeps this information in a MAC address table. Think of the MAC address table like an address book that the switch uses to direct data packets to the appropriate device.

MAC address

How well did you know this?

Not at all

Perfectly

The maximum data transmission capacity over a network, measured by bits per second

Bandwidth:

How well did you know this?

Not at all

Perfectly

The practice of using remote servers, application, and network services that are hosted on the internet instead of on local physical devices

Cloud computing:

How well did you know this?

Not at all

Perfectly

A collection of servers or computers that stores resources and data in remote data centers that can be accessed via the internet

Cloud network:

How well did you know this?

Not at all

Perfectly

A basic unit of information that travels from one device to another within a network

Data packet:

How well did you know this?

Not at all

Perfectly

A network device that broadcasts information to every device on the network

Hub:

A set of standards used for routing and addressing data packets as they travel between devices on a network

Internet Protocol (IP):

A unique string of characters that identifies the location of a device on the internet

Internet Protocol (IP) address:

A network that spans small areas like an office building, a school, or a home

Local Area Network (LAN):

A unique alphanumeric identifier that is assigned to each physical device on a network

Media Access Control (MAC) address:

A device that connects your router to the internet and brings internet access to the LAN

Modem:

Network: A group of connected devices

Network:

A standardized concept that describes the seven layers computers use to communicate and send data over the network

Open systems interconnection (OSI) model:

The practice of capturing and inspecting data packets across a network

Packet sniffing:

A software-based location that organizes the sending and receiving of data between devices on a network

Port:

A network device that connects multiple networks together

Router:

A device that makes connections between specific devices on a network by sending and receiving data between them

Switch:

A framework used to visualize how data is organized and transmitted across a network

TCP/IP model:

An internet communication protocol that allows two devices to form a connection and stream data

Transmission Control Protocol (TCP):

A connectionless protocol that does not establish a connection between devices before transmissions

User Datagram Protocol (UDP):

A network that spans a large geographic area like a city, state, or country

Wide Area Network (WAN):

Communication protocols Communication protocols govern the exchange of information in network transmission. They dictate how the data is transmitted between devices and the timing of the communication. They also include methods to recover data lost in transit. Here are a few of them.

- Transmission Control Protocol (TCP) - User Datagram Protocol (UDP) - Hypertext Transfer Protocol (HTTP) - Domain Name System (DNS)

___________________ is an internet communication protocol that allows two devices to form a connection and stream data. ____ uses a three-way handshake process. First, the device sends a synchronize (SYN) request to a server. Then the server responds with a SYN/ACK packet to acknowledge receipt of the device's request. Once the server receives the final ACK packet from the device, a _____ connection is established. In the TCP/IP model, ______ occurs at the transport layer.

Transmission Control Protocol (TCP)

___________________ is a connectionless protocol that does not establish a connection between devices before a transmission. This makes it less reliable than TCP. But it also means that it works well for transmissions that need to get to their destination quickly. For example, one use of ____ is for internet gaming transmissions. In the TCP/IP model, ______ occurs at the transport layer.

User Datagram Protocol (UDP)

__________________ is an application layer protocol that provides a method of communication between clients and website servers. _______ uses port 80. _____ is considered insecure, so it is being replaced on most websites by a secure version, called ____(s) However, there are still many websites that use the insecure _____ protocol. In the TCP/IP model, _____ occurs at the application layer.

Hypertext Transfer Protocol (HTTP)

__________________ is a protocol that translates internet domain names into IP addresses. When a client computer wishes to access a website domain using their internet browser, a query is sent to a dedicated _____ server. The ______ server then looks up the IP address that corresponds to the website domain. _____ normally uses UDP on port 53. However, if the _____ reply to a request is large, it will switch to using the TCP protocol. In the TCP/IP model, _____ occurs at the application layer.

Domain Name System (DNS)

Management Protocols The next category of network protocols is management protocols. Management protocols are used for monitoring and managing activity on a network. They include protocols for error reporting and optimizing performance on the network.

- Simple Network Management Protocol (SNMP) - Internet Control Message Protocol (ICMP)

__________________ is a network protocol used for monitoring and managing devices on a network. SNMP can reset a password on a network device or change its baseline configuration. It can also send requests to network devices for a report on how much of the network’s bandwidth is being used up. In the TCP/IP model, SNMP occurs at the application layer.

Simple Network Management Protocol (SNMP)

________________________ is an internet protocol used by devices to tell each other about data transmission errors across the network. ICMP is used by a receiving device to send a report to the sending device about the data transmission. ICMP is commonly used as a quick way to troubleshoot network connectivity and latency by issuing the “ping” command on a Linux operating system. In the TCP/IP model, ICMP occurs at the internet layer.

Internet Control Message Protocol (ICMP)

Security Protocols Security protocols are network protocols that ensure that data is sent and received securely across a network. Security protocols use encryption algorithms to protect data in transit. Below are some common security protocols.

- Hypertext Transfer Protocol Secure (HTTPS) - Secure File Transfer Protocol (SFTP)

____________________is in the management family of network protocols. DHCP is an application layer protocol used on a network to configure devices. It assigns a unique IP address and provides the addresses of the appropriate DNS server and default gateway for each device. DHCP servers operate on UDP port 67 while DHCP clients operate on UDP port 68.

Dynamic Host Configuration Protocol (DHCP)

The devices on your local home or office network each have a private IP address that they use to communicate directly with each other. In order for the devices with private IP addresses to communicate with the public internet, they need to have a public IP address. Otherwise, responses will not be routed correctly. Instead of having a dedicated public IP address for each of the devices on the local network, the router can replace a private source IP address with its public IP address and perform the reverse operation for responses. This process is known as Network Address Translation (NAT) and it generally requires a router or firewall to be specifically configured to perform NAT. NAT is a part of layer 2 (internet layer) and layer 3 (transport layer) of the TCP/IP model.

Network Address Translation

By now, you are familiar with IP and MAC addresses. You’ve learned that each device on a network has both an IP address that identifies it on the network and a MAC address that is unique to that network interface. A device’s IP address may change over time, but its MAC address is permanent. _________________ (ARP) is mainly a network access layer protocol in the TCP/IP model used to translate the IP addresses that are found in data packets into the MAC address of the hardware device. Each device on the network performs ARP and keeps track of matching IP and MAC addresses in an ARP cache. ARP does not have a specific port number.

Address Resolution Protocol

__________ is an application layer protocol that allows a device to communicate with another device or server. _______ sends all information in clear text. It uses command line prompts to control another device similar to secure shell (SSH), but ________ is not as secure as SSH. Telnet can be used to connect to local or remote devices and uses TCP port 23.

Telnet

_____________________is used to create a secure connection with a remote system. This application layer protocol provides an alternative for secure authentication and encrypted communication. SSH operates over the TCP port 22 and is a replacement for less secure protocols, such as Telnet.

Secure shell protocol (SSH)

____________________is an application layer (layer 4 of the TCP/IP model) protocol used to manage and retrieve email from a mail server. Many organizations have a dedicated mail server on the network that handles incoming and outgoing mail for users on the network. User devices will send requests to the remote mail server and download email messages locally. If you have ever refreshed your email application and had new emails populate in your inbox, you are experiencing POP and internet message access protocol (IMAP) in action. Unencrypted, plaintext authentication uses TCP/UDP port 110 and encrypted emails use Secure Sockets Layer/Transport Layer Security (SSL/TLS) over TCP/UDP port 995. When using POP, mail has to finish downloading on a local device before it can be read and it does not allow a user to sync emails.

Post office protocol (POP)

_________ is used for incoming email. It downloads the headers of emails, but not the content. The content remains on the email server, which allows users to access their email from multiple devices. IMAP uses TCP port 143 for unencrypted email and TCP port 993 over the TLS protocol. Using IMAP allows users to partially read email before it is finished downloading and to sync emails. However, IMAP is slower than POP3.

Internet Message Access Protocol (IMAP)

Remember that port numbers are used by network devices to determine what should be done with the information contained in each data packet once they reach their destination. Firewalls can filter out unwanted traffic based on port numbers. For example, an organization may configure a firewall to only allow access to TCP port 995 (POP3) by IP addresses belonging to the organization. As a security analyst, you will need to know about many of the protocols and port numbers mentioned in this course. They may be used to determine your technical knowledge in interviews, so it’s a good idea to memorize them. You will also learn about new protocols on the job in a security position.

Protocols and port numbers

As a cybersecurity analyst, you will encounter various common protocols in your everyday work. The protocols covered in this reading include NAT, DHCP, ARP, Telnet, SSH, POP3, IMAP, and SMTP. It is equally important to understand where each protocol is structured in the TCP/IP model and which ports they occupy.

Protocol. Port DHCP - UDP port 67 (servers), UDP port 68 (clients) ARP. - none Telnet. - TCP port 23 SSH. - TCP port 22 POP3 - TCP/UDP port 110 (unencrypted), TCP/UDP port 995 (encrypted, SSL/TLS) IMAP - TCP port 143 (unencrypted), TCP port 993 (encrypted, SSL/TLS) SMTP. - TCP/UDP port 587 (encrypted, TLS)

_____________, commonly known as Wi-Fi, is a set of standards that define communications for wireless LANs. IEEE stands for the Institute of Electrical and Electronics Engineers, which is an organization that maintains Wi-Fi standards, and 802.11 is a suite of protocols used in wireless communications.

IEEE802.11

_____ is a wireless security protocol for devices to connect to the internet. Since then, _______ has evolved into newer versions, like ____2 and _____3, which include further security improvements, like more advanced encryption. As a security analyst, you might be responsible for making sure that the wireless connections in your organization are secure. Let's learn more about security measures.

WPA

________________ is a wireless security protocol designed to provide users with the same level of privacy on wireless network connections as they have on wired network connections. WEP was developed in 1999 and is the oldest of the wireless security standards. WEP is largely out of use today, but security analysts should still understand WEP in case they encounter it. For example, a network router might have used WEP as the default security protocol and the network administrator never changed it. Or, devices on a network might be too old to support newer Wi-Fi security protocols. Nevertheless, a malicious actor could potentially break the WEP encryption, so it’s now considered a high-risk security protocol.

Wired equivalent privacy (WEP)

_______________ was developed in 2003 to improve upon WEP, address the security issues that it presented, and replace it. WPA was always intended to be a transitional measure so backwards compatibility could be established with older hardware. The flaws with WEP were in the protocol itself and how the encryption was used. WPA addressed this weakness by using a protocol called Temporal Key Integrity Protocol (TKIP). WPA encryption algorithm uses larger secret keys than WEPs, making it more difficult to guess the key by trial and error. WPA also includes a message integrity check that includes a message authentication tag with each transmission. If a malicious actor attempts to alter the transmission in any way or resend at another time, WPA’s message integrity check will identify the attack and reject the transmission. Despite the security improvements of WPA, it still has vulnerabilities. Malicious actors can use a key reinstallation attack (or KRACK attack) to decrypt transmissions using WPA. Attackers can insert themselves in the WPA authentication handshake process and insert a new encryption key instead of the dynamic one assigned by WPA. If they set the new key to all zeros, it is as if the transmission is not encrypted at all. Because of this significant vulnerability, WPA was replaced with an updated version of the protocol called WPA2.

Wi-Fi Protected Access (WPA)

The second version of _______________________—was released in 2004. WPA2 improves upon WPA by using the Advanced Encryption Standard (AES). WPA2 also improves upon WPA’s use of TKIP. WPA2 uses the Counter Mode Cipher Block Chain Message Authentication Code Protocol (CCMP), which provides encapsulation and ensures message authentication and integrity. Because of the strength of WPA2, it is considered the security standard for all Wi-Fi transmissions today. WPA2, like its predecessor, is vulnerable to KRACK attacks. This led to the development of WPA3 in 2018.

Wi-Fi Protected Access—known as WPA2

Personal WPA2 personal mode is best suited for home networks for a variety of reasons. It is easy to implement, initial setup takes less time for personal than enterprise version. The global passphrase for WPA2 personal version needs to be applied to each individual computer and access point in a network. This makes it ideal for home networks, but unmanageable for organizations.

WPA2 enterprise mode works best for business applications. It provides the necessary security for wireless networks in business settings. The initial setup is more complicated than WPA2 personal mode, but enterprise mode offers individualized and centralized control over the Wi-Fi access to a business network. This means that network administrators can grant or remove user access to a network at any time. Users never have access to encryption keys, this prevents potential attackers from recovering network keys on individual computers.

WPA3 is a secure Wi-Fi protocol and is growing in usage as more WPA3 compatible devices are released. These are the key differences between WPA2 and WPA3: WPA3 addresses the authentication handshake vulnerability to KRACK attacks, which is present in WPA2. WPA3 uses Simultaneous Authentication of Equals (SAE), a password-authenticated, cipher-key-sharing agreement. This prevents attackers from downloading data from wireless network connections to their systems to attempt to decode it. WPA3 has increased encryption to make passwords more secure by using 128-bit encryption, with WPA3-Enterprise mode offering optional 192-bit encryption.

A __________ is a network security device that monitors traffic to and from your network. It either allows traffic or it blocks it based on a defined set of security rules. A firewall can use port filtering, which blocks or allows certain port numbers to limit unwanted communication. For example, it could have a rule that only allows communications on port 443 for HTTPS or port 25 for email and blocks everything else. These firewall settings will be determined by the organization's security policy.

firewall

A _____________ is considered the most basic way to defend against threats to a network. A hardware firewall inspects each data packet before it's allowed to enter the network.

hardware firewall

A ____________ performs the same functions as a hardware firewall, but it's not a physical device. Instead, it's a software program installed on a computer or on a server. If the software firewall is installed on a computer, it will analyze all the traffic received by that computer. If the software firewall is installed on a server, it will protect all the devices connected to the server. A software firewall typically costs less than purchasing a separate physical device, and it doesn't take up any extra space. But because it is a software program, it will add some processing burden to the individual devices.

software firewall

____________ firewalls are software firewalls hosted by a cloud service provider. Organizations can configure the firewall rules on the cloud service provider's interface, and the firewall will perform security operations on all incoming traffic before it reaches the organization’s onsite network. Cloud-based firewalls also protect any assets or processes that an organization might be using in the cloud.

Cloud-based

________ refers to a class of firewall that keeps track of information passing through it and proactively filters out threats. A stateful firewall analyzes network traffic for characteristics and behavior that appear suspicious and stops them from entering the network.

Stateful

__________refers to a class of firewall that operates based on predefined rules and does not keep track of information from data packets. A stateless firewall only acts according to preconfigured rules set by the firewall administrator. The rules programmed by the firewall administrator tell the device what to accept and what to reject. A stateless firewall doesn't store analyzed information. It also doesn't discover suspicious trends like a stateful firewall does. For this reason, stateless firewalls are considered less secure than stateful firewalls.

Stateless

A _____________, provides even more security than a stateful firewall. Not only does an NGFW provide stateful inspection of incoming and outgoing traffic, but it also performs more in-depth security functions like deep packet inspection and intrusion protection. Some ________ connect to cloud-based threat intelligence services so they can quickly update to protect against emerging cyber threats.

next generation firewall, or NGFW

______________ control who can access different segments of a network. Security zones act as a barrier to internal networks, maintain privacy within corporate groups, and prevent issues from spreading to the whole network. One example of network segmentation is a hotel that offers free public Wi-Fi. The unsecured guest network is kept separate from another encrypted network used by the hotel staff.

Security zones

There are several types of networks within the controlled zone. On the outer layer is the demilitarized zone, or DMZ, which contains public-facing services that can access the internet. This includes web servers, proxy servers that host websites for the public, and DNS servers that provide IP addresses for internet users. It also includes email and file servers that handle external communications. The DMZ acts as a network perimeter to the internal network. The internal network contains private servers and data that the organization needs to protect. Inside the internal network is another zone called the restricted zone. The restricted zone protects highly confidential information that is only accessible to employees with certain privileges.

A ___________ server regulates and restricts a person with access to the internet. The goal is to hide a user's IP address and approve all outgoing requests. In the context of an organization, a forward proxy server receives outgoing traffic from an employee, approves it, and then forwards it on to the destination on the internet.

forward proxy

A ______________ regulates and restricts the internet access to an internal server. The goal is to accept traffic from external parties, approve it, and forward it to the internal servers. This setup is useful for protecting internal web servers containing confidential data from exposing their IP address to external parties.

reverse proxy server

An ____________ is another valuable security tool. It filters spam email by verifying whether a sender's address was forged. This reduces the risk of phishing attacks that impersonate people known to the organization.

email proxy server

_________ is a high-speed VPN protocol, with advanced encryption, to protect users when they are accessing the internet. It’s designed to be simple to set up and maintain. WireGuard can be used for both site-to-site connection and client-server connections. WireGuard is relatively newer than IPSec, and is used by many people due to the fact that its download speed is enhanced by using fewer lines of code. WireGuard is also open source, which makes it easier for users to deploy and debug. This protocol is useful for processes that require faster download speeds, such as streaming video content or downloading large files.

WireGuard

___________ is another VPN protocol that may be used to set up VPNs. Most VPN providers use IPSec to encrypt and authenticate data packets in order to establish secure, encrypted connections. Since IPSec is one of the earlier VPN protocols, many operating systems support IPSec from VPN providers. Although IPSec and WireGuard are both VPN protocols, IPSec is older and more complex than WireGuard. Some clients may prefer IPSec due to its longer history of use, extensive security testing, and widespread adoption. However, others may prefer WireGuard because of its potential for better performance and simpler configuration.

IPSec VPN

A network protocol used to determine the MAC address of the next router or device on the path

Address Resolution Protocol (ARP)

Malicious actors can use hardware or software tools to capture and inspect data in transit. This is referred to as _____________.

packet sniffing

A _____________ is an attack that targets a network or server and floods it with network traffic.

DoS attack

A _____________ is a type of DoS attack that simulates the TCP connection and floods the server with SYN packets. Let's break this definition down a bit more by taking a closer look at the handshake process that is used to establish a TCP connection between a device and a server. The first step in the handshake is for the device to send a SYN, or synchronize, request to the server. Then, the server responds with a SYN/ACK packet to acknowledge the receipt of the device's request and leaves a port open for the final step of the handshake. Once the server receives the final ACK packet from the device, a TCP connection is established. Malicious actors can take advantage of the protocol by flooding a server with SYN packet requests for the first part of the handshake. But if the number of SYN requests is larger than the number of available ports on the server, then the server will be overwhelmed and become unable to function.

SYN flood attack

________________ is an internet protocol used by devices to tell each other about data transmission errors across the network. Think of ICMP like a request for a status update from a device. The device will return error messages if there is a network concern. You can think of this like the ICMP request checking in with the device to make sure that all is well. An ICMP flood attack is a type of DoS attack performed by an attacker repeatedly sending ICMP packets to a network server. This forces the server to send an ICMP packet. This eventually uses up all the bandwidth for incoming and outgoing traffic and causes the server to crash. Both of the attacks we've discussed so far, SYN flood and ICMP flood, take advantage of communication protocols by sending an overwhelming number of requests.

Internet Control Message Protocol. ICMP

A ____________ is a type of DoS attack that is caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than 64 kilobytes, the maximum size for a correctly formed ICMP packet. Pinging a vulnerable network server with an oversized ICMP packet will overload the system and cause it to crash. Think of this like dropping a rock on a small anthill. Each individual ant can carry a certain amount of weight while transporting food to and from the anthill. But if a large rock is dropped on the anthill, then many ants will be crushed, and the colony is unable to function until it rebuilds its operations elsewhere.

ping of death attack

There are a wide variety of network protocol analyzers available, but some of the most common analyzers include: SolarWinds NetFlow Traffic Analyzer ManageEngine OpManager Azure Network Watcher Wireshark tcpdump

tcpdump is a command-line network protocol analyzer. It is popular, lightweight–meaning it uses little memory and has a low CPU usage–and uses the open-source libpcap library. tcpdump is text based, meaning all commands in tcpdump are executed in the terminal. It can also be installed on other Unix-based operating systems, such as macOS®. It is preinstalled on many Linux distributions. tcpdump provides a brief packet analysis and converts key information about network traffic into formats easily read by humans. It prints information about each packet directly into your terminal. tcpdump also displays the source IP address, destination IP addresses, and the port numbers being used in the communications. Interpreting output tcpdump prints the output of the command as the sniffed packets in the command line, and optionally to a log file, after a command is executed. The output of a packet capture contains many pieces of important information about the network traffic. types of information presented in a tcpdump packet capture. Some information you receive from a packet capture includes: Timestamp: The output begins with the timestamp, formatted as hours, minutes, seconds, and fractions of a second. Source IP: The packet’s origin is provided by its source IP address. Source port: This port number is where the packet originated. Destination IP: The destination IP address is where the packet is being transmitted to. Destination port: This port number is where the packet is being transmitted to. Note: By default, tcpdump will attempt to resolve host addresses to hostnames. It'll also replace port numbers with commonly associated services that use these ports.

Packets include a header which contains the sender's and receiver's IP addresses. Packets also contain a body, which may contain valuable information like names, date of birth, personal messages, financial information, and credit card numbers.

Passive packet sniffing is a type of attack where data packets are read in transit. Since all the traffic on a network is visible to any host on the hub, malicious actors can view all the information going in and out of the device they are targeting. Thinking back to the example of a letter being delivered, we can compare a passive packet sniffing attack to a postal delivery person maliciously reading somebody's mail. The postal worker, or packet sniffer, has the right to deliver the mail, but not the right to read the information inside.

Active packet sniffing is a type of attack where data packets are manipulated in transit. This may include injecting internet protocols to redirect the packets to an unintended port or changing the information the packet contains. Active packet sniffing attack would be like a neighbor telling the delivery person "I'll deliver that mail for you," and then reading the mail or changing the letter before putting it in your mailbox. Even though your neighbor knows you and even if they deliver it to the correct house, they are actively going out of their way to engage in malicious behavior.

One way to protect against malicious packet sniffing is to use a VPN to encrypt and protect data as it travels across the network. If you don't remember how VPNs work, you can revisit the video about this topic in the previous section of the program. When you use a VPN, hackers might interfere with your traffic, but they won't be able to decode it to read it and read your private information.

Another way to add a layer of protection against packet sniffing is to make sure that websites you have use HTTPS at the beginning of the domain address. Previously, we discussed how HTTPS uses SSL/TLS to encrypt data and prevent eavesdropping when malicious actors spy on network transmissions. One final way to help protect yourself against malicious packet sniffing is to avoid using unprotected WiFi. You usually find unprotected WiFi in public places like coffee shops, restaurants, or airports. These networks don't use encryption. This means that anyone on the network can access all of the data traveling to and from your device. One precaution you can take is avoiding free public WiFi unless you have a VPN service already installed on your device.

IP spoofing is a network attack performed when an attacker changes the source IP of a data packet to impersonate an authorized system and gain access to a network. In this kind of attack, the hacker is pretending to be someone they are not so they can communicate over the network with the target computer and get past firewall rules that may prevent outside traffic.

An on-path attack is an attack where the malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit. On-path attackers gain access to the network and put themselves between two devices, like a web browser and a web server. Then they sniff the packet information to learn the IP and MAC addresses to devices that are communicating with each other. After they have this information, they can pretend to be either of these devices.

Another type of attack is a replay attack. A replay attack is a network attack performed when a malicious actor intercepts a data packet in transit and delays it or repeats it at another time. A delayed packet can cause connection issues between target computers, or a malicious actor may take a network transmission that was sent by an authorized user and repeat it at a later time to impersonate the authorized user. A smurf attack is a combination of a DDoS attack and an IP spoofing attack. The attacker sniffs an authorized user's IP address and floods it with packets. This overwhelms the target computer and can bring down a server or the entire network.

As you previously learned, encryption should always be implemented so that the data in your network transfers can't be read by malicious actors. Firewalls can be configured to protect against IP spoofing. IP spoofing makes it seem like the malicious actor is an authorized user by changing the sender's address of the data packet to match the target network's address. So if a firewall receives a data packet from the internet where the sender's IP address is the same as the private network, then the firewall will deny the transmission since all the devices with that IP address should already be on the local network. You can make sure that your firewalls configure correctly by creating a rule to reject all incoming traffic that has the same IP address as the local network.

The device’s Network Interface Card (NIC) is a piece of hardware that connects the device to a network. The NIC reads the data transmission, and if it contains the device’s MAC address, it accepts the packet and sends it to the device to process the information based on the protocol.

In a smurf attack, IP spoofing is combined with another denial of service (DoS) technique to flood the network with unwanted traffic. For example, the spoofed packet could include an Internet Control Message Protocol (ICMP) ping. As you learned earlier, ICMP is used to troubleshoot a network. But if too many ICMP messages are transmitted, the ICMP echo responses overwhelm the servers on the network and they shut down. This creates a denial of service and can bring an organization’s operations to a halt. An important way to protect against a smurf attack is to use an advanced firewall that can monitor any unusual traffic on the network. Most next generation firewalls (NGFW) include features that detect network anomalies to ensure that oversized broadcasts are detected before they have a chance to bring down the network.

SYN flood attack

A type of DoS attack that simulates a TCP/IP connection and floods a server with SYN packets

Distributed denial of service attack (DDoS)

A type of denial or service attack that uses multiple devices or servers in different locations to flood the target network with unwanted traffic

The practice of capturing and inspecting data packets across a network

Packet Sniffing

A network attack performed when an attacker changes the source IP of a data packet to impersonate an authorized system and gain access to a network

IP Spoofing

A _______________ is a documented set of specifications within a system that is used as a basis for future builds, releases, and updates. For example, a baseline may contain a firewall rule with a list of allowed and disallowed network ports. If a security team suspects unusual activity affecting the OS, they can compare the current configuration to the baseline and make sure that nothing has been changed.

baseline configuration

Another hardening task performed regularly is hardware and ____________. This ensures that all old hardware is properly wiped and disposed of. It's also a good idea to delete any unused software applications since some popular programming languages have known vulnerabilities. Removing unused software makes sure that there aren't any unnecessary vulnerabilities connected with the programs that the software uses.

software disposal

________________ are software versions of physical computers. VMs provide an additional layer of security for an organization because they can be used to run code in an isolated environment, preventing malicious code from affecting the rest of the computer or system. VMs can also be deleted and replaced by a pristine image after testing malware. VMs are useful when investigating potentially infected machines or running malware in a constrained environment. Using a VM may prevent damage to your system in the event its tools are used improperly. VMs also give you the ability to revert to a previous state. However, there are still some risks involved with VMs. There’s still a small risk that a malicious program can escape virtualization and access the host machine. You can test and explore applications easily with VMs, and it’s easy to switch between different VMs from your computer. This can also help in streamlining many security tasks.

Virtual machines (VMs)

An attack where a malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit

On-path attack

A type of attack where data packets are manipulated in transit

Active packet sniffing:

A collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder"

Botnet:

An attack that targets a network or server and floods it with network traffic A type of denial of service attack that uses multiple devices or servers located in different locations to flood the target network with unwanted traffic

Denial of service (DoS) attack: Distributed denial of service (DDoS) attack:

An internet protocol used by devices to tell each other about data transmission errors across the network

Internet Control Message Protocol (ICMP):

A type of DoS attack performed by an attacker repeatedly sending ICMP request packets to a network server

Internet Control Message Protocol (ICMP) flood:

A network attack performed when an attacker changes the source IP of a data packet to impersonate an authorized system and gain access to a network

IP spoofing:

An attack where a malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit

On-path attack:

A type of attack where a malicious actor connects to a network hub and looks at all traffic on the network

Passive packet sniffing:

A type of DoS attack caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than 64KB

Ping of death:

A network attack performed when a malicious actor intercepts a data packet in transit and delays it or repeats it at another time

Replay attack:

A network attack performed when an attacker sniffs an authorized user’s IP address and floods it with ICMP packets

Smurf attack:

A type of DoS attack that simulates a TCP/IP connection and floods a server with SYN packets

Synchronize (SYN) flood attack:

_______________. When attackers try to guess a user's login credentials, it’s considered a simple brute force attack. They might do this by entering any combination of usernames and passwords that they can think of until they find the one that works.

Simple brute force attacks

____________ use a similar technique. In dictionary attacks, attackers use a list of commonly used passwords and stolen credentials from previous breaches to access a system. These are called “dictionary” attacks because attackers originally used a list of words from the dictionary to guess the passwords, before complex password rules became a common security practice.

Dictionary attacks

A ____________ is a type of testing environment that allows you to execute software or programs separate from your network. They are commonly used for testing patches, identifying and addressing bugs, or detecting cybersecurity vulnerabilities. Sandboxes can also be used to evaluate suspicious software, evaluate files containing malicious code, and simulate attack scenarios. __________ can be stand-alone physical computers that are not connected to a network; however, it is often more time- and cost-effective to use software or cloud-based virtual machines as sandbox environments. Note that some malware authors know how to write code to detect if the malware is executed in a VM or sandbox environment. Attackers can program their malware to behave as harmless software when run inside these types of testing environments.

sandbox

Hashing converts information into a unique value that can then be used to determine its integrity. It is a one-way function, meaning it is impossible to decrypt and obtain the original text. Salting adds random characters to hashed passwords. This increases the length and complexity of hash values, making them more secure.

Salting and hashing:

MFA is a security measure which requires a user to verify their identity in two or more ways to access a system or network. This verification happens using a combination of authentication factors: a username and password, fingerprints, facial recognition, or a one-time password (OTP) sent to a phone number or email. 2FA is similar to MFA, except it uses only two forms of verification.

Multi-factor authentication (MFA) and two-factor authentication (2FA):

___________ stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It asks users to complete a simple test that proves they are human. This helps prevent software from trying to brute force a password. reCAPTCHA is a free CAPTCHA service from Google that helps protect websites from bots and malicious software.

CAPTCHA and reCAPTCHA: CAPTCHA

Organizations use password policies to standardize good password practices throughout the business. Policies can include guidelines on how complex a password should be, how often users need to update passwords, and if there are limits to how many times a user can attempt to log in before their account is suspended.

Password policies:

___________ is a firewall function that blocks or allows certain port numbers to limit unwanted communication. A basic principle is that the only ports that are needed are the ones that are allowed. Any port that isn't being used by the normal network operations should be disallowed. This protects against port vulnerabilities. Networks should be set up with the most up-to-date wireless protocols available and older wireless protocols should be disabled.

Port filtering

Security analysts also use _______________ to create isolated subnets for different departments in an organization. For example, they might make one for the marketing department and one for the finance department. This is done so the issues in each subnet don't spread across the whole company and only specified users are given access to the part of the network that they require for their role. _______________ may also be used to separate different security zones. Any restricted zone on a network containing highly classified or confidential data should be separate from the rest of the network.

network segmentation

Lastly, all network communication should be _________ed using the latest ________ standards. _________ standards are rules or methods used to conceal outgoing data and uncover or decrypt incoming data. Data in restricted zones should have much higher __________ standards, which makes them more difficult to access.

Encryption

Intrusion Prevention System An intrusion prevention system (IPS) is an application that monitors system activity for intrusive activity and takes action to stop the activity. It offers even more protection than an IDS because it actively stops anomalies when they are detected, unlike the IDS that simply reports the anomaly to a network administrator. An IPS searches for signatures of known attacks and data anomalies. An IPS reports the anomaly to security analysts and blocks a specific sender or drops network packets that seem suspect. An IPS is situated between a firewall and the internal network. The IPS (like an IDS) sits behind the firewall in the network architecture. This offers a high level of security because risky data streams are disrupted before they even reach sensitive parts of the network. However, one potential limitation is that it is inline: If it breaks, the connection between the private network and the internet breaks. Another limitation of IPS is the possibility of false positives, which can result in legitimate traffic getting dropped.

Full packet capture devices can be incredibly useful for network administrators and security professionals. These devices allow you to record and analyze all of the data that is transmitted over your network. They also aid in investigating alerts created by an IDS.

A hypervisor abstracts the host’s hardware from the operating software environment. There are two types of hypervisors. Type one hypervisors run on the hardware of the host computer. An example of a type one hypervisor is VMware®'s EXSi. Type two hypervisors operate on the software of the host computer. An example of a type two hypervisor is VirtualBox. Cloud service providers (CSPs) commonly use type one hypervisors. CSPs are responsible for managing the hypervisor and other virtualization components. The CSP ensures that cloud resources and cloud environments are available, and it provides regular patches and updates. Vulnerabilities in hypervisors or misconfigurations can lead to virtual machine escapes (VM escapes). A VM escape is an exploit where a malicious actor gains access to the primary hypervisor, potentially the host computer and other VMs. As a CSP customer, you will rarely deal with hypervisors directly.

Cryptographic erasure is a method of erasing the encryption key for the encrypted data. When destroying data in the cloud, more traditional methods of data destruction are not as effective. Crypto-shredding is a newer technique where the cryptographic keys used for decrypting the data are destroyed. This makes the data undecipherable and prevents anyone from decrypting the data. When crypto-shredding, all copies of the key need to be destroyed so no one has any opportunity to access the data in the future.

Modern encryption relies on keeping the encryption keys secure. Below are the measures you can take to further protect your data when using cloud applications: Trusted platform module (TPM). TPM is a computer chip that can securely store passwords, certificates, and encryption keys. Cloud hardware security module (CloudHSM). CloudHSM is a computing device that provides secure storage for cryptographic keys and processes cryptographic operations, such as encryption and decryption. Organizations and customers do not have access to the cloud service provider (CSP) directly, but they can request audits and security reports by contacting the CSP. Customers typically do not have access to the specific encryption keys that CSPs use to encrypt the customers’ data. However, almost all CSPs allow customers to provide their own encryption keys, depending on the service the customer is accessing. In turn, the customer is responsible for their encryption keys and ensuring the keys remain confidential. The CSP is limited in how they can help the customer if the customer’s keys are compromised or destroyed. One key benefit of the shared responsibility model is that the customer is not entirely responsible for maintenance of the cryptographic infrastructure. Organizations can assess and monitor the risk involved with allowing the CSP to manage the infrastructure by reviewing a CSPs audit and security controls. For federal contractors, FEDRAMP provides a list of verified CSPs.

A documented set of specifications within a system that is used as a basis for future builds, releases, and updates

Baseline configuration (baseline image):

A simulated attack that helps identify vulnerabilities in systems, networks, websites, applications, and processes

Penetration testing (pen test):

A file that can be altered by anyone in the world

World-writable file: