Network Security Concepts

Question 1

CIA Triad

Answer 1

1. Confidentiality: Ensures only authorized individuals can access information.
2. Integrity: ensures data is not altered and is accurate.
3. Availability: Ensures authorized users can access information and systems.

Question 2

Checksum

Answer 2

A checksum is a small piece of data—usually a number—that is generated from a larger set of data (like a file or message) using a mathematical algorithm. It’s used to detect errors in data, especially during transmission or storage.

Question 3

Data Sovereignty

Answer 3

A country’s right to control data within its borders.

Question 4

Mission Essential Functions (MEFs)

Answer 4

Tasks the business must perform, and it is too critical to be deferred.

Question 5

Business Impact Analysis (BIA)

Answer 5

Estimates the cost of disruptions (e.g., from a DoS attack)

Question 6

Data locality

Answer 6

Ensures data is stored and processed only in specific geographic regions.

Question 7

Payment Card Industry Data Security Standard (PCI DSS)

Answer 7

The information security standard for organizations that process credit or bank card payments.

Question 8

General Data Protection Regulation (GDPR)

Answer 8

Provisions and requirements protecting the personal data of European Union (EU) citizens.

Question 9

Encryption Algorithm

Answer 9

Scrambling the characters used in a message so that the message can be seen but not understood or modified unless it can be deciphered.

Question 10

Exploit

Answer 10

• The method or code used to take advantage of a vulnerability.

Question 11

0 Day Vulnerability

Answer 11

Vulnerability in software that is unpatched by the developer or an attack that exploits such a vulnerability.

Question 12

Vulnerability Assessment

Answer 12

Evaluation of a system’s security and ability to meet compliance requirements based on the configuration state of the system, as represented by information collected from the system. Also called vulnerability testing.

Question 13

Honeypot/Honeynet

Answer 13

Honeypots and honeynets are cybersecurity tools used to detect, mislead, and analyze attackers by creating fake systems that appear real.

Question 14

Threat Research

Answer 14

A counterintelligence gathering effort in which security companies and researchers attempt to discover the tactics, techniques, and procedures (TTPs) of threat actors.

Question 15

Three Types of Threat Research

Answer 15

1. Behavioral threat research—Narrative commentary describing examples of attacks and TTPs gathered through primary research sources.
2. Reputational threat intelligence—Lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware.
3. Threat data—Computer data that can correlate events observed on a customer’s own networks and logs with known TTP and threat actor indicators.

Question 16

Footprinting

Answer 16

Footprinting allows a threat actor to discover the topology and general configuration of the network and security systems.

Question 17

Fingeprinting

Answer 17

Fingerprinting allows a threat actor to identify device and OS types and versions.

Question 18

Phishing

Answer 18

A fraudulent attempt to get users to click a malicious link or open an attachment by pretending to be a trustworthy entity (like a bank or employer).
Usually delivered through:

Email (most common)

Text message (smishing)

Phone calls (vishing)

Fake websites

Question 19

Pharming

Answer 19

A more technical attack that redirects users to a fake website, even if they type the correct URL.
How it works:
DNS poisoning: Attacker corrupts the DNS server or local DNS cache, so when you try to visit a real website, you’re silently redirected to a malicious clone.

Hosts file modification: The attacker changes your computer’s configuration to redirect traffic.

Question 20

Denial of Service (DoS) Attack

Answer 20

Attack causes a service at a given host to fail or to become unavailable to legitimate users.

Question 21

Distributed Denial of Service

Answer 21

An attack launched by multiple systems simultaneously to flood a target network or system.

Question 22

Distributed Reflection DoS

Answer 22

An enhanced DDoS attack that uses third-party servers to reflect and amplify traffic back to the victim.
- Attacker spoofs the victim’s IP address in requests to legitimate servers.
- Those servers respond to the victim, thinking the requests are real.
- The response is often much larger than the original request (amplification).

Question 23

Fileless Malware

Answer 23

Uses lightweight shellcode that resides in memory. Often initiated via scripts, malicious attachments, or Trojans.

Question 24

Common behavior and technics of Fileless Malware

Answer 24

1. Doesn’t write its code on disk. The malware uses memory-reside techniques to run its own process.
2. It uses lightweight Shellcode to achieve a backdoor mechanism on the host.
3. Fileless malware may use “live off the land” techniques rather than compiled techniques which means the malware uses legitimate system scripting tools like PowerShell and Windows Management Instrument.

Question 25

Advanced Persistent Threat (APT)

Answer 25

APT is a long-term, stealthy cyberattack where attackers infiltrate a network and remain undetected for months or years. Long-term, stealthy infiltration, often state sponsored.

Question 26

Advanced Volatile Threat (AVT)

Answer 26

AVT is similar to APT but focuses on volatile (in-memory) attack methods that leave little to no trace on disk.

Question 27

Low Observable Charactristics

Answer 27

LOC attacks focus on being invisible or very hard to detect by mimicking normal system behavior.

Question 28

On Path Attack

Answer 28

The attacker sits between two hosts and intercepts or alters traffic without either host knowing.

Question 29

MAC and IP Spoofing

Answer 29

A host can arbitrarily select any MAC and/or IP address and attempt to use it on the network. While each network interface has a burned-in MAC address, this can be changed to any arbitrary value using packet crafting software. A threat actor might exploit this to spoof the value of a valid MAC or IP address to try to circumvent an access control list or impersonate a legitimate server. For this type of attack to succeed, the threat actor must normally disable the legitimate host or there will be duplicate addresses on the network, which will have unpredictable results.

Question 30

ARP spoofing/Poisoning

Answer 30

- ARP (Address Resolution Protocol) is insecure and trust-based. - Attackers send fake ARP replies (gratuitous ARP) with spoofed MAC/IP addresses. - Victim devices update their ARP caches, trusting the spoofed information. - Often targets the default gateway, so traffic is misrouted through the attacker.

Question 31

Nmap

Answer 31

Nmap (short for Network Mapper) is a free, open-source tool used for network discovery, security auditing, and troubleshooting. It's one of the most widely used tools by system administrators, penetration testers, and cybersecurity professionals.

Question 32

MAC Flooding

Answer 32

An attack in which the switch is bombarded with fake MAC addresses.

Question 33

MAC Spoofing

Answer 33

The attacker tries to change the original MAC address of a network interface.

Question 34

VLAN Hopping Attack

Answer 34

Exploiting a misconfiguration to direct traffic to a different VLAN without authorization.

Question 35

Double-Tagging Attack

Answer 35

- The attacker puts two VLAN tags on the data packet. - The first switch removes the outer tag (thinking it’s on the correct VLAN). - The inner tag is then read by the next switch, which sends the packet into a different VLAN.

Question 36

Switch Spoofing

Answer 36

- The attacker makes their computer pretend to be a switch. - They use trunking protocols (like DTP or 802.1Q) to make the real switch think it's connecting to another switch. - Once this happens, the attacker receives traffic from all VLANs that the switch sends over the trunk link.

Question 37

STP Manipulation

Answer 37

- STP prevents network loops by choosing a “root bridge” switch to control traffic paths. - An attacker can plug in a fake switch and trick the network into thinking their device is the root bridge. - Once they become the root, network traffic flows through their device. - This lets them intercept and capture a lot of sensitive data using a packet sniffer.

Question 38

Rogue Device/Service

Answer 38

A rogue device or service is any device or application that connects to a network without the knowledge or approval of IT staff.

Question 39

Shadow IT

Answer 39

Computer hardware, software, or services used on a private network without authorization from the system owner.

Question 40

Rogue DHCP Server

Answer 40

A rogue DHCP server is an unauthorized device providing IP leases. - Can be created accidentally (e.g., leaving DHCP enabled on a router or access point). - Can be used maliciously to: - Assign fake default gateways or DNS servers - Intercept or redirect traffic through the attacker’s machine (on-path attack) - Cause clients to lose connectivity or access the wrong network resources

Question 41

DHCP Starvation Attack

Answer 41

A DHCP starvation attack floods the legitimate DHCP server with fake requests, quickly exhausting its IP address pool.

Question 42

Typosquatting

Answer 42

Malicious sites mimicking real ones using common typos like "gogle.com"

Question 43

DNS Hijacking/Poisoning

Answer 43

Attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker's choosing.

Question 44

DNS-Based On-Path Attacks

Answer 44

Attacker must be one the same LAN as the victim. Attacker can use ARP poisoning to respond to DNS queries from the victim with spoofed replies. A rogue DHCP could be used to configure clients with the address of a DNS resolver controlled by the threat actor.

Question 45

DNS Client Cache Poisoning

Answer 45

DNS Client Cache Poisoning is a type of DNS poisoning attack that specifically targets the DNS cache on a user's local machine (client) instead of a DNS server. The goal is the same: redirect the user to a malicious site by corrupting the domain name resolution process. Windows:`%SystemRoot%\System32\Drivers\etc\hosts`. Linux/Unix: `/etc/hosts`.

Question 46

DNS Server Cache Poisoning

Answer 46

DNS Server Cache Poisoning (also called DNS spoofing) is when an attacker injects false DNS records into a DNS server’s cache. This causes many users who rely on that DNS server to be redirected to malicious websites, even if they type in the correct domain.