Module 4- Attacking what we do Flashcards
(194 cards)
1
Q
Which foundational component of enterprise communication must be protected in addition to the network infrastructure itself?
A
Protocols and software that provide services over the network, as they are also targets for threat actors.
2
Q
Which request is broadcast by a host to discover the MAC address of a device with a specific IP address?
A
An ARP Request is broadcast by a host to all others on the network segment to identify the MAC address for a given IP.
3
Q
What happens after a host receives an ARP Request and finds a matching IP address?
A
It sends an ARP Reply back to the requesting host with its MAC address.
4
Q
What kind of ARP message can a client send without receiving a request?
A
A gratuitous ARP is an unsolicited ARP Reply sent by a device, usually upon startup, to announce its IP and MAC address.
5
Q
When is a gratuitous ARP typically sent?
A
When a device first boots up to inform other devices on the local network of its MAC and IP address.
5
Q
What do other hosts do when they receive a gratuitous ARP?
A
They store the MAC and IP address from the gratuitous ARP in their ARP tables.
6
Q
Which vulnerability arises from the ability of any host to send a gratuitous ARP?
A
Any host can claim ownership of any IP/MAC combination, which opens the door to ARP cache poisoning.
6
Q
Which attack involves corrupting the ARP cache of local devices to reroute traffic?
A
ARP poisoning, which allows a threat actor to impersonate another device and intercept communications.
7
Q
What is the goal of a threat actor conducting an ARP poisoning attack?
A
To associate their MAC address with the IP address of the default gateway in the ARP caches of local hosts.
8
Q
Which address is typically impersonated in ARP cache poisoning to perform MiTM attacks?
A
The IP address of the default gateway is commonly spoofed.
9
Q
What does associating a malicious MAC with the gateway IP allow a threat actor to do?
A
It places the attacker between the victim and external systems, enabling a man-in-the-middle (MiTM) attack.
10
Q
What vulnerability exists in the way ARP operates that makes poisoning possible?
A
Any host can send gratuitous ARP Replies claiming any IP/MAC combination, allowing threat actors to insert false entries into ARP caches.
10
Q
Why is ARP considered vulnerable despite being foundational to local IP-to-MAC resolution?
A
It lacks authentication, allowing any device to send false replies and manipulate ARP tables.
10
Q
Which type of attack involves corrupting the ARP table of devices to intercept or redirect traffic?
A
ARP cache poisoning, which allows attackers to launch man-in-the-middle (MiTM) attacks by sending false MAC-to-IP mappings.
11
Q
Which type of packet does a computer send when it wants to discover the MAC address of an IP address on the same local network?
A
An ARP Request, which is broadcasted to all devices on the subnet to find the matching MAC address for a given IP.
12
Q
What response does a legitimate device send when it receives an ARP Request for its IP address?
A
An ARP Reply, which provides its MAC address so that the requester can update its ARP cache.
13
Q
What is the name for an unsolicited ARP Reply sent by a device to announce its presence on the network?
A
A gratuitous ARP, which is typically sent when a device boots up to update other hosts’ ARP tables.
13
Q
What’s the difference between passive and active ARP poisoning?
A
Passive ARP poisoning involves eavesdropping on data, while active poisoning involves modifying or injecting malicious data.
14
Q
What does ARP stand for, and what is its function?
A
Address Resolution Protocol, used to map IP addresses to MAC addresses within a local network.
14
Q
What are some tools mentioned that can be used to perform ARP MiTM attacks?
A
dsniff, Cain & Abel, ettercap, and Yersinia.
15
Q
What network protocol helps convert domain names like www.cisco.com into numerical IP addresses?
A
The Domain Name Service (DNS), which resolves human-readable names to IPv4 or IPv6 addresses.
15
Q
What does DNS use to identify the type of data being returned in a response?
A
Resource Records (RR), which specify the type of DNS information included in the response.
16
Q
Why is DNS a tempting target for attackers in enterprise environments?
A
Because compromising DNS can misdirect users to malicious sites or disrupt the functionality of entire networks.
16
Q
What type of attack targets DNS services to manipulate name resolution or reroute traffic?
A
A DNS attack, where an attacker could corrupt or hijack the DNS resolution process.
17
Which publicly available DNS service is an example of an open resolver commonly used by organizations?
GoogleDNS (8.8.8.8) is a publicly open DNS resolver used by many organizations to respond to DNS queries.
17
Which type of DNS server responds to queries from clients outside its own administrative domain?
A DNS open resolver, such as GoogleDNS (8.8.8.8), responds to queries from clients outside of its administrative domain.
18
Which DNS attack involves a threat actor sending falsified resource record information to redirect users to malicious sites?
A DNS cache poisoning attack, where spoofed resource records are sent to a resolver to misdirect users from legitimate to malicious sites.
19
Which attack exploits open resolvers by sending DNS queries using a victim’s IP address to hide the attacker’s identity and increase attack traffic?
A DNS amplification and reflection attack, where threat actors spoof the victim's IP to generate large volumes of traffic from open resolvers.
19
Which DNS-based attack is specifically designed to maximize the size of the response to overwhelm a target system?
DNS amplification, which increases the volume of attack traffic by eliciting large DNS responses from open resolvers.
20
Which attack uses a Denial of Service (DoS) approach to deplete the system resources of a DNS open resolver?
A DNS resource utilization attack, which targets the resolver’s capacity, potentially requiring service restarts or reboots.
21
Which DNS attack may force administrators to reboot DNS resolvers or restart their services due to complete resource exhaustion?
A DNS resource utilization attack, because it consumes all available resources, disrupting DNS service operations.
22
Which DNS threat involves covertly using DNS to bypass security policies or exfiltrate data?
A DNS tunneling attack, where DNS queries and responses are used to carry unauthorized data between systems.
23
Which attack involves creating subdomains under a legitimate domain to carry out malicious activities unnoticed?
A DNS domain shadowing attack, where threat actors register subdomains under compromised domain accounts.
24
Which DNS attack avoids detection by spreading queries slowly over time and using randomized patterns?
A DNS stealth attack, designed to evade detection by using low-frequency and obscured DNS request patterns.
25
What response does a legitimate device send when it receives an ARP Request for its IP address?
An ARP Reply, which provides its MAC address so that the requester can update its ARP cache.
25
Which term refers to a DNS server that responds to queries from clients outside its own administrative domain?
An open resolver, such as public DNS servers like GoogleDNS (8.8.8.8).
25
What is a major security risk associated with DNS open resolvers?
They are vulnerable to multiple malicious activities including cache poisoning, amplification attacks, and resource utilization attacks.
26
Which attack sends falsified resource record (RR) information to a DNS resolver to misdirect users?
DNS cache poisoning, aiming to redirect traffic to malicious sites.
27
In a DNS cache poisoning attack, what can a threat actor trick the resolver into using?
A malicious name server that provides harmful resource record information.
27
Which attack uses a DNS open resolver to launch a larger DoS or DDoS assault by magnifying the volume of responses?
A DNS amplification and reflection attack, which also hides the true source of the attacker.
27
How does a DNS amplification attack increase the impact of a DDoS attack?
By sending small queries that cause much larger responses to be sent to the victim’s IP address.
27
Which attack exhausts the resources of a DNS open resolver through overwhelming DoS requests?
DNS resource utilization attacks, which may force a resolver to reboot or restart services.
28
Which general category of attack involves changing IP address mappings rapidly to evade detection?
DNS stealth attacks.
28
Which DNS stealth technique involves constantly changing the IP addresses associated with a domain name?
Fast Flux, commonly used by botnets to hide phishing or malware servers.
28
What advantage does Fast Flux provide to threat actors?
It makes malicious servers harder to locate and shut down by frequently changing DNS records.
29
What DNS stealth technique involves rapidly changing both the hostname-to-IP mappings and the authoritative name servers?
Double IP Flux, increasing difficulty in tracking down malicious infrastructure.
29
Why is Double IP Flux more effective than simple Fast Flux?
Because it modifies both the domain’s IP addresses and the authoritative servers, further masking the attack’s source.
30
What method uses malware to randomly generate domain names for communication with command and control servers?
Domain Generation Algorithms (DGAs), making it harder to block communications.
30
Why do malware developers use Domain Generation Algorithms?
To create unpredictable rendezvous points for connecting to C&C servers, avoiding simple domain blacklisting.
30
What DNS attack involves silently creating multiple malicious subdomains under a legitimate parent domain?
DNS domain shadowing, by compromising domain account credentials.
30
How does domain shadowing remain hidden from legitimate domain owners?
Because it silently adds subdomains without altering the visible parent domain.
31
What credentials must an attacker obtain to successfully carry out DNS domain shadowing?
The domain account credentials of the legitimate domain owner.
31
What do the subdomains created through domain shadowing typically point to?
Malicious servers used for launching attacks.
31
Why are DNS open resolvers particularly attractive targets for threat actors?
Because they respond to anyone’s queries, allowing attackers to exploit them remotely.
32
What is the main goal of a DNS resource utilization attack?
To drain all processing resources of the resolver, leading to denial of service.
32
What method is used in DNS stealth attacks to ensure that malware servers are difficult to locate consistently?
Rapid and continuous changes to DNS entries, as seen in Fast Flux and Double IP Flux.
32
Which cyberattack method involves embedding non-DNS traffic inside DNS queries to bypass security controls?
DNS tunneling, a technique used to steal data or control compromised hosts covertly.
32
Which protocol is sometimes overlooked as a potential channel for botnet communication within enterprises?
DNS, because its normal operation is often trusted and not deeply inspected.
33
What DNS traffic characteristic may indicate a DNS tunneling attack?
Queries that are longer than average or contain suspicious domain names.
33
Which commercial solution is mentioned as effective against DNS tunneling?
Cisco Umbrella (formerly Cisco OpenDNS), which blocks suspicious DNS activity.
33
What is the function of a recursive DNS server during a DNS tunneling attack?
To unknowingly forward malicious DNS queries toward the attacker’s authoritative server.
34
What major threat uses DNS tunneling as a communication channel for attacks?
Botnets, especially for purposes like malware delivery, phishing, and DDoS attacks.
34
In a DNS tunneling attack, what triggers the request to move past the local DNS and reach the attacker?
The absence of a matching DNS record at the local or networked DNS server.
34
Which server type dynamically provides IP configuration information like IP addresses, default gateways, and DNS servers to clients?
A DHCP server, which automatically assigns IP configuration settings to network clients.
34
Which message does a DHCP client initially broadcast to locate available DHCP servers on the network?
A DHCP Discover message, broadcasted by the client to find DHCP servers.
34
Which type of message does a DHCP server send directly to a client after receiving a discover broadcast, offering configuration information?
A unicast DHCP Offer message, which contains addressing information for the client.
34
Which broadcasted message from the client indicates it has accepted an offer from a DHCP server?
A DHCP Request message, sent by the client to accept the offered IP configuration.
34
Which final unicast message does a DHCP server send to a client to confirm and finalize the IP assignment?
A DHCP Acknowledgment (ACK) message, which confirms the client's request and assigns the configuration.
35
Which type of attack involves a rogue DHCP server providing false IP configuration parameters to clients?
A DHCP spoofing attack, where a malicious server supplies misleading network settings to legitimate clients.
35
Which malicious server in a DHCP spoofing attack tries to intercept network traffic by giving clients incorrect gateway information?
A rogue DHCP server that assigns the threat actor’s IP as the default gateway, enabling a man-in-the-middle (MiTM) attack.
35
Which type of false configuration provided by a rogue DHCP server can redirect users to malicious websites?
A wrong DNS server address, supplied by the rogue DHCP server to mislead client DNS queries.
35
What can happen when a rogue DHCP server provides invalid IP addresses or invalid default gateway addresses to clients?
A Denial of Service (DoS) attack against DHCP clients, preventing them from communicating properly on the network.
36
In a DHCP spoofing scenario, where must the rogue DHCP server be connected to effectively attack the target clients?
To a switch port on the same subnet as the target clients, allowing it to reply to DHCP Discover messages.
36
What happens during the second step of a DHCP spoofing attack after the client’s DHCP Discover message?
Both the legitimate DHCP server and the rogue DHCP server respond with DHCP Offer messages.
36
13.
During a DHCP spoofing attack, which server’s offer does the client typically accept?
The client accepts the first DHCP Offer it receives, which may come from the rogue DHCP server.
37
What key vulnerability allows a rogue DHCP server to succeed in a DHCP spoofing attack?
The DHCP protocol's design to accept the first server response without verifying the server's legitimacy.
38
What kind of network attack can be silently initiated by setting the rogue DHCP server’s IP address as the client’s default gateway?
A man-in-the-middle (MiTM) attack, allowing the attacker to intercept or alter network traffic.
39
How can a threat actor cause a DHCP client to experience service outages using a rogue DHCP server?
By providing invalid or unusable IP configurations, resulting in Denial of Service (DoS) conditions.
40
Which protocols are commonly used for accessing web pages and thus are frequent targets for web-based attacks?
HTTP and HTTPS, which are essential for web browsing and therefore major targets for web-based threats.
40
Which type of professional must understand the stages of a standard web-based attack to investigate incidents effectively?
A security analyst, who needs deep knowledge of how web attacks unfold to properly investigate them.
41
What is initial step in a typical web attack ?
The victim unknowingly accesses a web page infected with malware, setting the attack in motion.
41
After visiting a compromised page, what usually happens to the victim’s browser?
The browser is redirected, often through multiple compromised servers, to a malicious site hosting exploit code.
42
Which software types are specifically scanned by exploit kits looking for vulnerabilities on a victim’s system?
Operating systems, Java, and Flash Player are commonly scanned by exploit kits for exploitable weaknesses.
42
What is the term for the automatic download of malicious software when a user simply visits a compromised website?
A drive-by download, where malware is installed on a user’s system without any user action beyond visiting the page.
43
Which scripting language is commonly used to develop exploit kits?
PHP, often used to create exploit kits and the management consoles that administer attacks.
43
Which tool scans a visitor’s software for vulnerabilities once they reach a malicious site?
An exploit kit, which examines the operating system, Java, Flash Player, and other software for known vulnerabilities.
44
What feature does an exploit kit typically provide to attackers to manage their campaigns?
A management console, allowing attackers to control and monitor the deployment of exploits.
45
After identifying a vulnerability, what does the exploit kit server do next?
It downloads malicious code specifically crafted to exploit the identified vulnerability on the victim’s computer.
46
Once the victim’s computer is compromised, to which type of server does it connect to download additional malicious software?
A malware server, from which it retrieves a payload such as malware or file download services for further infections.
46
What occurs on the victim’s system after the final malware payload is downloaded?
The final malware package is executed, completing the compromise of the victim’s computer.
47
What ultimate goal does a threat actor pursue through web-based attacks involving compromised or malicious web pages?
To guide the victim’s web browser onto the attacker's web page, where malicious exploits are delivered.
47
Which browser components are often targeted by malicious websites to compromise a client system?
Vulnerable plugins and browser vulnerabilities are key targets for attackers aiming to exploit client systems.
47
Which network device is used in larger organizations to inspect downloaded files for malware?
An Intrusion Detection System (IDS), which scans downloaded content for signs of malware.
47
Which files are created by an IDS after detecting malicious downloads, allowing security analysts to review incidents later?
Log files, documenting the details of malware detection events for future investigation.
47
What is the common behavior of compromised websites in the early stages of a web attack?
They redirect users, sometimes through multiple layers of compromised servers, toward a malicious site hosting an exploit.
47
What restriction exists for sending 1xx informational responses to HTTP clients?
Servers must not send 1xx responses to an HTTP/1.0 client except under experimental conditions.
47
Which type of server connection status code class provides a provisional response, consisting only of a Status-Line and optional headers?
Informational 1xx, used as a provisional response, typically terminated by an empty line with no required headers.
47
What risk should a client detect when encountering repeated 3xx redirection codes?
Infinite redirection loops, which generate unnecessary network traffic for each redirection.
48
What does a 3xx server connection status code represent?
Redirection, meaning further action is needed by the client to complete the request.
49
Which server connection status code class indicates that a client's request was successfully received, understood, and accepted?
Successful 2xx, showing the client’s request was properly handled by the server.
49
Which server connection status code class signals that the client appears to have made an error?
Client Error 4xx, indicating problems originating from the client’s request.
49
When responding with a 4xx client error, what should the server include (except for HEAD requests)?
An entity explaining the error situation, which user agents should display to users.
50
Which server connection status code class is used when the server itself has encountered an error or cannot fulfill a request?
Server Error 5xx, used when the server admits it has failed or cannot process the request.
50
What should the server include when sending a 5xx server error response (except for HEAD requests)?
An explanatory entity describing the error, intended to be displayed by user agents.
51
What type of server data is often used to reveal the nature of a scan or attack on a web server?
Server connection logs, which can show information based on the status codes returned.
51
What type of security solution, such as Cisco Cloud Web Security, is recommended to block access to malicious websites?
A web proxy, which filters web traffic to prevent connections to harmful sites.
52
Which project offers a set of best practices for securely developing web applications?
The Open Web Application Security Project (OWASP), providing development guidelines.
52
Name two specific Cisco web security products mentioned as examples of web proxies.
Cisco Cloud Web Security and Cisco Web Security Appliance.
53
What is a common tactic threat actors use when compromising a web server with a malicious iFrame?
They modify the web pages to include HTML code that links to the threat actor’s own malicious server.
53
What document produced by OWASP helps organizations identify and mitigate common web application vulnerabilities?
The OWASP Top 10 Web Application Security Risks list.
53
How do malicious iFrames make detection difficult for users?
The loaded iFrame may be as small as a few pixels, making it nearly invisible to users.
53
Which HTML element allows a browser to load another web page from a different source and is often exploited by threat actors?
An inline frame (iFrame), an HTML element that can load external web pages and is often abused in malicious attacks.
54
Why should web developers avoid using iFrames according to security best practices?
Avoiding iFrames isolates third-party content, making it easier to detect modified or compromised web pages.
54
Which service is specifically mentioned as a way to prevent users from accessing known malicious websites?
Cisco Umbrella, a service that blocks navigation to harmful domains.
54
Which tool is recommended to block access to malicious sites and help defend against iFrame attacks?
A web proxy, which can filter and block access to known malicious web destinations.
54
What types of malicious content are commonly delivered through hidden iFrames?
Spam advertising, exploit kits, and various forms of malware.
55
Which HTTP status code is used by threat actors in a 302 cushioning attack?
The 302 Found status code, used to redirect the browser to a new location.
55
Where does the browser find the new URL after receiving a 302 Found response from the server?
In the location field of the server’s response header.
55
What legitimate purpose does the HTTP 302 Found status code serve?
It redirects clients to a new URL when web content has moved, allowing old links and bookmarks to continue functioning.
55
How do threat actors exploit legitimate HTTP functions during a 302 cushioning attack?
They use standard HTTP redirection to repeatedly redirect the browser until it reaches a malicious exploit page.
56
Which tool is again recommended to defend against HTTP 302 cushioning attacks by filtering malicious destinations?
A web proxy, used to block suspicious and harmful sites before the browser connects.
56
Why can HTTP 302 cushioning attacks be hard to detect on a network?
Because legitimate HTTP redirects are common and often indistinguishable from malicious ones without close inspection.
56
What is a potential behavior pattern of a browser during a 302 cushioning attack?
It is repeatedly redirected through multiple servers until landing on a malicious page containing an exploit.
56
Why is domain shadowing particularly persistent and difficult to eliminate once detected?
Because attackers can continuously create new subdomains from the parent domain even after earlier ones are blacklisted.
56
Which HTTP tactic is often used alongside domain shadowing to redirect a victim’s browser to malicious sites?
HTTP 302 cushioning, which uses repeated HTTP redirects to guide the browser through multiple malicious locations.
56
Besides strong authentication, what administrative practice helps detect unauthorized subdomains in domain shadowing attacks?
Domain owners should regularly validate their registration accounts and check for any unauthorized subdomains.
57
In an attachment-based email attack, how do threat actors make malicious emails more convincing to victims?
By tailoring the email and attachment to a specific business vertical, making it appear highly legitimate.
57
What type of attack involves embedding malicious content into seemingly legitimate business files sent via email?
Attachment-based attacks, where threat actors disguise malware inside files like IT department emails.
57
Why has the rise of accessing email on different devices increased the threat of malware?
Because many devices accessing email are outside the company firewall and use HTML, allowing more sophisticated attacks.
57
Which email attack involves forging the sender’s address to trick users into revealing sensitive information?
Email spoofing, where the sender appears legitimate, often imitating trusted organizations like banks.
57
In an email spoofing attack, what specific tactic makes the malicious email more likely to be trusted and opened?
Using identical branding, such as logos, that users recognize from legitimate previous communications.
57
What type of email threat involves sending unsolicited advertisements or malware attachments to large numbers of users?
Spam email, typically aiming to provoke a response that confirms the email address is active.
58
Why is responding to a spam email dangerous even if it seems harmless?
Because replying confirms to the threat actor that the email address is valid and actively monitored.
58
Which vulnerable system allows threat actors to send large volumes of spam by misusing corporate servers?
An open mail relay server, where anyone can send email without authentication.
58
Why should corporate email servers never be configured as open mail relays?
Because they allow spammers and worms to send massive volumes of unsolicited email through the server.
59
In the context of email threats, what are homoglyphs?
Characters that appear visually similar, like 'O' (capital O) and '0' (zero), used to deceive users.
59
How are homoglyphs used by threat actors in phishing attacks?
They create URLs or email addresses that look nearly identical to legitimate ones but lead to malicious sites.
60
What email attack exploits the similarity between lowercase “l” and the number “1” to create convincing fake links?
Homoglyph attacks, which rely on small, hard-to-spot visual differences in text characters.
61
Which security appliance can detect and block email-based threats such as phishing, spam, and malware?
Cisco Email Security Appliance.
61
Which attack involves injecting PHP or other code into insecure input fields on a server page due to insufficient input validation?
Code injection attack.
62
What security weakness do threat actors exploit when using an SMTP server configured without proper restrictions?
An open mail relay, which permits unauthenticated users to send emails and facilitates widespread spam.
63
What type of database do web applications commonly connect to for data access, making them frequent attack targets?
Relational databases.
63
Which database attack involves inserting malicious SQL queries through user input to read or modify sensitive database data?
SQL injection.
63
What language do threat actors exploit during SQL injection attacks to manipulate databases?
SQL (Structured Query Language).
64
What type of attack occurs when a threat actor executes commands on a web server’s OS through a vulnerable web application input field?
Code injection.
64
Besides reading sensitive data, what are two other actions a successful SQL injection attack can allow on a database?
Modify database data and execute administrative operations.
65
What essential defense prevents SQL injection attacks by ensuring user input is strictly verified?
Strict input data validation.
65
After detecting an SQL injection, what two things should a security analyst immediately determine?
The user ID used by the threat actor and the information or access obtained.
65
In an XSS attack, which two scripting languages are commonly used to create malicious scripts that target client browsers?
JavaScript and Visual Basic.
65
What is the main cause that allows both SQL injection and Cross-Site Scripting (XSS) attacks to succeed on a trusted web application?
Lack of input validation.
66
Which type of XSS attack uses a malicious link that users must click to become infected, without permanent storage on the server?
Reflected (non-persistent) XSS.
66
Which type of XSS attack stores the malicious script permanently on the infected server for all visitors to encounter?
Stored (persistent) XSS.
66
Which countermeasure can detect and prevent malicious scripts that are attempting Cross-Site Scripting attacks?
Intrusion Prevention System (IPS).
67
Which attack injects malicious scripts into web pages that execute on a user's browser to steal information or spread malware?
Cross-Site Scripting (XSS).
68
What service can be used to prevent users from navigating to websites known to host malicious scripts used in XSS attacks?
Cisco Umbrella.
68
What is the first step in securing a network according to best practices?
Develop a written security policy for the company.
68
Which method should be used during interactions like phone calls, emails, or in-person communications to prevent social engineering?
Develop strategies to validate identities.
68
What is one important physical security measure for network defense?
Control physical access to systems.
69
What should be done regularly to prevent unauthorized access to sensitive data?
Use strong passwords and change them often.
69
Which devices and software should be used to secure a network according to best practices? (4)
Firewalls, intrusion prevention systems (IPS), VPN devices, antivirus software
69
Which security measures should be implemented to protect sensitive data?
Encrypt and password-protect sensitive data.
69
Why should regular backups be performed and tested?
To ensure data recovery in case of an incident.
69
What is an effective way to limit network exposure and reduce potential attack surfaces?
Shut down unnecessary services and ports.
69
Why are security audits important for a network?
To test and assess the network's security posture.
69
What is the best practice for keeping a network secure against attacks like buffer overflow and privilege escalation?
Keep patches up-to-date by installing them regularly.
70
What is one of the primary ways to mitigate virus and Trojan horse attacks on networks?
Using antivirus software.
70
What is the first phase in responding to a worm attack?
Containment.
70
What is the primary goal of the containment phase in worm mitigation?
To limit the spread of the worm infection to already affected areas of the network.
71
What network security measures are used during the containment phase?
Using both outgoing and incoming ACLs on routers and firewalls at control points within the network.
72
What is the main objective of the quarantine phase during a worm attack?
To track down and isolate infected machines within the contained areas.
73
What is the treatment phase focused on during worm mitigation?
Disinfecting infected systems by terminating the worm process, removing modified files, and patching vulnerabilities.
73
In severe cases, what might be required to fully remove a worm and its by-products from a system?
Reinstalling the system to ensure complete removal.
73
In the quarantine phase, what actions are taken to handle infected systems?
Infected systems are disconnected, blocked, or removed from the network.
73
What are reconnaissance attacks typically a precursor to?
Other attacks aimed at gaining unauthorized access to a network or disrupting its functionality.
74
Which device supports network-based intrusion prevention, in addition to ASA, for mitigating reconnaissance attacks?
Cisco Integrated Services Routers (ISR).
74
Which Cisco device provides intrusion prevention in a standalone device for detecting reconnaissance attacks?
Cisco’s Adaptive Security Appliance (ASA).
75
What is one of the most common parameters that can trigger an alarm for a reconnaissance attack?
The number of ICMP requests per second.
76
What is one method of mitigating reconnaissance attacks involving sniffing?
Using anti-sniffer tools to detect packet sniffer attacks.
76
How does encryption help mitigate packet sniffer attacks?
Encryption makes the captured data unreadable, rendering packet sniffers useless.
76
What network configuration can be used to stop ping sweeps in reconnaissance attacks?
Turning off ICMP echo and echo-reply on edge routers, though it will also stop network diagnostic data.
77
What are the basic characteristics of a strong password?
At least eight characters, containing uppercase letters, lowercase letters, numbers, and special characters.
77
What is the focus of the inoculation phase in worm mitigation?
Patching all uninfected systems with the appropriate vendor patch to deprive the worm of available targets.
77
What security measure can be implemented to prevent brute-force login attempts in access attacks?
Disabling accounts after a specified number of unsuccessful login attempts.
77
How does cryptography help mitigate access attacks?
By encrypting remote access , reducing opportunities for man-in-the-middle attacks.
77
What two methods of verification are commonly used in multifactor authentication (MFA)?
A password combined with a one-time code sent via text message or a token generated by software or a separate device.
78
How can access attacks be detected on a network?
By reviewing logs
78
What should network security policies specify regarding logs?
Logs should be formally maintained for all network devices and servers to monitor and detect unusual activity.
79
What does the principle of minimum trust in network design entail?
Systems should not trust each other unnecessarily, especially if one system is untrusted.
79
What was a common characteristic of many historical DoS attacks?
They were sourced from spoofed addresses.
79
What type of analysis can help detect unusual patterns indicating a DoS attack?
Network behavior analysis.
79
Why could a DoS attack compromise network devices like routers?
The packet-per-second capacity of a router could be exceeded, affecting the target system and the network devices the traffic passes through.
79
Which Cisco technologies help protect against spoofed addresses in DoS attacks? (2)
Port security and access control lists (ACLs).
79
What is one of the first signs of a Denial of Service (DoS) attack?
A large number of user complaints about unavailable resources or unusually slow network performance.
80
What type of attack occurs when data goes beyond the memory areas allocated to an application?
Buffer overflow
