Security+ 6 Flashcards
The null session attack is a type of exploit that makes unauthenticated NetBIOS connections to a target computer. The attack uses ports 139 and 445, which are the NetBIOS session port and the Server Message Block (SMB) port, respectively. If successful, an attacker could find user IDs, share names, and various settings and could possibly gain access to files, folders, and other resources. To protect against this attack, computers should be updated as soon as possible. However, the best way to defend against this attack is to filter out traffic on ports 139 and 445 with a firewall or a host-based intrusion prevention system. When a firewall is enabled, ports 139 and 445 will not appear to exist.
Null Session Attack …
DNS Poisoning Mitigation : This attack can be countered by using Transport Layer Security (TLS) and digital signatures or by using Secure DNS (DNSSEC), which uses encrypted electronic signatures when passing DNS information, and finally, by patching the DNS server. You might use a Transaction Signature (TSIG) to provide authentication for DNS database updates. This protocol uses shared secret keys and one-way hashing to provide security.
info …
domain name kiting (or simply domain kiting) is the process of deleting a domain name during the five-day grace period (known as the add grace period, or AGP) and immediately reregistering it for another five-day period. This process is repeated any number of times with the end result of having the domain registered without ever actually paying for it.
domain name kiting …
ARP poisoning is an attack that exploits Ethernet networks, and it may enable an attacker to sniff frames of information, modify that information, or stop it from getting to its intended destination. The spoofed frames of data contain a false source MAC address, which deceives other devices on the network. The idea behind this is to associate the attacker’s MAC address with an IP address of another device, such as a default gateway or router, so that any traffic that would normally go to the gateway would end up at the attacker’s computer. The attacker could then perpetuate a man-in-the-middle attack, or a denial-of-service attack, in addition to MAC flooding. Some of the defenses for ARP poisoning include VLAN segregation/VLAN separation (creating multiple virtual LANs in an effort to thwart the attack), DHCP snooping, and an open source program called ArpON.
ARP poisoning …
Altered Hosts File : when attacker attempts to hijack hosts file and have client bypass DNS server or access incorrect websites; solve by change permission on hosts file to read only.
Unauthorized Zone Transfers : unauthorized transfer of DNS info from DNS server; solve by : Log the DNS server, restrict and audit DNS server.
Most often, a proxy server is implemented as a forward proxy. This means that clients looking for websites, or files via an FTP connection, pass their requests through to the proxy. However, there is also a reverse proxy, where multiple HTTP or FTP servers use a proxy server and send out content to one or more clients.
info …
Web security gateways (such as Forcepoint, previously known as Websense) act as go-between devices that scan for viruses, filter content, and act as data loss prevention (DLP) devices. This type of content inspection/content filtering is accomplished by actively monitoring the users’ data streams in search of malicious code, bad behavior, or confidential data that should not be leaked outside the network.
In network-based DLP, systems deal with data in motion and are usually located on the perimeter of the network. If data is classified in an organization’s policy as confidential and not to be read by outsiders, the DLP system detects it and prevents it from leaving the network.
info …
NIDS installed should have a network adapter configured to work in promiscuous mode. This passes all traffic to the CPU, not just the frames addressed to it. A couple of disadvantages of a NIDS, aside from possible network performance issues, are that it might not be able to read encrypted packets of information and will not detect problems that occur on an individual computer. So have combo of HIDS and NIDS and NIPS.
info …
Vertical privilege escalation: When a lower privileged user accesses functions reserved for higher privileged users; for example, if a standard user can access functions of an administrator. This is also known as privilege elevation and is the most common description. To protect against this, update the network device firmware. In the case of an operating system, it should again be updated, and usage of some type of access control system is also advisable; for example, User Account Control (UAC).
Horizontal privilege escalation: When a normal user accesses functions or content reserved for other normal users; for example, if one user reads another’s e-mail. This can be done through hacking or by a person walking over to other people’s computers and simply reading their e-mail. Always lock PC when away from it.
privilege escalation …
Crosstalk is when a signal transmitted on one copper wire creates an undesired effect on another wire; the signal “bleeds” over, so to speak. This first occurred when telephone lines were placed in close proximity to each other. Because the phone lines were so close, the signal could jump from one line to the next intermittently. If you have ever heard another conversation while talking on your home phone (not cell phones mind you) you have been the victim of crosstalk. Use twisted-pair cable to combat this, but NEXT is when measured interference occurs between two pairs in a single cable, measured on the cable end nearest the transmitter. FEXT is when like interference occurs but is measured at the cable end farthest from the transmitter. If still a problem use STP.
Crosstalk …
Data emanation (or signal emanation) is the electromagnetic (EM) field generated by a network cable or network device, which can be manipulated to eavesdrop on conversations or to steal data.
TEMPEST refers to the investigations of conducted emissions from electrical and mechanical devices, which could be compromising to an organization.
info …
