Cyber Security Flashcards
Access Control
controlling access to resources on a computer or network system.
MAC
Mandatory Access Control (MAC) models, the administrator manages access controls. The administrator defines a policy, which users cannot modify. For highest confidentiality.
DAC
Discretionary Access Control (DAC). A subject has complete control over the objects that it owns and the programs that it executes. Programs executed by a user will have the same permissions as the user who is executing it.
RBAC
In Role Based Access Control models, an administrator defines a series of roles and assigns them to subjects. Different roles can exist for system processes and ordinary users. Objects are set to be a certain type, to which subjects with a certain role have access.
RB-RBAC
Rule-Based Access Control. Dynamically assigns roles to subjects based on their attributes and a set of rules defined by a security policy.
Identification
Telling the system who you are
Authentication
Process of proving to a system that you are who you say you are. Something you know (i.e. a username and password).Something you have (i.e. a smartcard)Something you are (i.e. your finger print, hand writing, voice pattern)Multi-factor authentication = two or more authentication methods used in conjunction
Password guessing/Brute-force attacks
Password checker tries the password until it succeeds.
Password aging
As a password gets older there's an increased chance of it getting disclosed.
Cognitive passwords
Your mother's last name, 'matrix' or 'qwerty'. When a person or password checker tries to guess the password, it will typically start with common words.
CHAP
The Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol that is primarily used for remote access PPP connections. Replaced the Plain Authentication Protocol (PAP). CHAP uses a more secure method, when a client wants to logon, the server sends a challenge request to the client, the client replies with a challenge response which is a hashed (one-way encrypted) value based on the username/password-combination and a random number. Vulnerable to brute force and dictionary attacks.
Certificate
An electronic document that typically contains a public key and personal user information. Offer better security against brute-force or dictionary attacks and password guessing than username/password-based authentication methods.
Certification Authority (CA)
Issues certificates to entities such as users, organizations, web sites and other CAs. As long as the CA can be considered a trustworthy authority, the certificates (and the key and entity combination in it) issued by it can be trusted as well.
EAP-TLS (Enhanced Authentication Protocol - Transport Layer Security)
A mutual authentication method, which means that both the client and the server prove their identities to each other. During the EAP-TLS authentication process, the remote access client sends its user certificate and the remote access server sends its computer certificate.
Kerberos (Authentication)
A fairly secure, but also complex and comprehensive, authentication system, default in Windows, version 5. There are three primary elements in a Kerberos system:Client, which is the Kerberos client application representing a principal (computer or user or software application).Target server, provides the service the client wants to access.Key Distribution Center (KDC), handles the distribution of keys and tickets.
Kerberos Process
Authentication Service (AS) Exchange - When the client logs on, the KDC issues a logon session key and a Ticket-Granting Ticket to the client, after the KDC has verified the client's encrypted user credentials.Ticket-Granting Service (TGS) Exchange - The client utilizes the TGT and the logon session key to request a new session key and ticket to be used between the client and the target server.Client-Server (CS) Exchange - The client sends the new ticket, including the new session key, to the target server to authenticate itself and to provide the target server with the session key. Optionally, the target server uses the new session key to authenticate itself to the client.
Single Sign On (SSO)
Allows a user to logon only once and be able to access all different resources in the network, such as e-mail, file servers, Intranet, etc. Attribute of Kerberos.
Mutual authentication
A client authenticates to a service, and the service authenticates to the client, before any application traffic is exchanged. Can be implemented using simple authentication protocols or more advanced solutions such as Kerberos, commonly found in SSL (Secure Socket Layer) connections.
Biometrics
Very secure type of authentication that uses anatomical and physiological characteristics to authenticate a user, "something you are." Requires a lot of storage, processing power, and appropriate conditions. Ex: Finger print, voice, palm, retina, iris, facial, etc.
False Accept Rate
Measures the likelihood that a user will claim a false identity and be accepted
False Reject Rate
Measures the likelihood that a system will incorrectly deny the user.
Tokens
Software tokens are generated by the authenticating system when a user logs on successfully, provide access to resources. Hardware tokens, magnetic-strip cards and USB devices, contain a symmetric key that is used for one-way hashing of a pin code or time stamp.
Smart Cards
Contains information about who you are, likely in the form of a private key but can also store public keys, account numbers, passwords and other sensitive information.Ex: magnetic strip card, IC (integrated circuit) memory card, IC microprocessor card (true smart card)
Crackers
Someone with malicious intentions who gains unauthorized access to network resources or software.
Denial of Service (DoS)
Prevents legitimate users from using a service. An active attacks, as the attacker actively attempts to change something, the availability of a server or service.
TCP SYN flood attack
Exploits behavior inherit to the TCP protocol. The attacker creates half-open TCP connections by sending the initial SYN packet with a forged IP address, and never acknowledges the SYN /ACK from the host with an ACK, leading to the host reaching a limit and stop accepting connections from legitimate users.
UDP Flood Attacks
UDP is a connectionless protocol that doesn't use a handshake mechanism to establish a connection, easy to abuse for flood attacks. "Pepsi Attack," sends a large number of forged UDP packets to random diagnostic ports on a target host. Use a firewall to disable unused UDP ports.
Ping of Death Attacks
Targeted at hosts with a weak implementation of the TCP/IP stack. The attacker sends an ICMP Echo request packet with a size larger than 65,535 bytes, causing the buffer at the receiver to overflow and leading to a system crash/reboot.
Smurf Attacks
The attacker sends a large amount of ICMP (Internet Control Message Protocol) traffic to a broadcast address and uses a victim's IP address as the source IP so the replies from all the devices that respond to the broadcast address will flood the victim. Uses a low-bandwidth connection to kill high-bandwidth connections, due to badly configured networks.
Distributed Denial of Service (DDoS) Attacks
When an attacker attacks from multiple source systems. Distributes trojan horses to PCs, zombies or slaves, and uses them to launch the attack.
Spoofing
Using a false source address in an attempt to hide the actual identity of the attacker and possibly blame the attack on the false source. Primarily associated with forging the source address in headers of IP packets.
Address Resolution Protocol (ARP)
A protocol from the TCP/IP suite that is used to discover the MAC address of a destination IP address.
ARP spoofing
Forging a MAC address in ARP messages. An attacker sends false ARP information that contains the MAC address of the attacker's computer mapped to the IP of a legitimate server, causing client to connect to attacker's PC.
Domain Name System (DNS) spoofing
Uses the IP address from the DNS cache instead of requesting it from a DNS server. Allows an attacker to fool a user into unknowingly connecting to the attacker's system. User thinks he/she is entering the information at the real site, but is actually giving the information to a spoofed copy of the website.
Defense against IP spoofing
Routers or other devices that can filter traffic based on source and destination IP address with proper ingress and egress filters or authenticate traffic by using IPSec to mitigate spoofing attacks.
Ingress filters
Ensures that only packets with a valid source address from the originating network are allowed to pass.
Egress filters
Ensures that packets with source address of the internal network cannot originate from a remote location. Both prevent attackers from using a legitimate internal address when spoofing packet from outside the local network.
Back Doors
Allows unauthorized access to a remote system thru an entrance in the system of which the user is typically not aware. Use anti-spy and adware utilities and keep operating systems and applications up to date with patches and service packs to protect against back doors.
Man-in-the-Middle
The attacker places himself between two communicating network devices in an attempt to intercept and possibly alter network traffic. Implementing a Public Key Infrastructure (PKI) with digital signatures to authenticate both sides and establish a trust relationship through a central Certificate Authority (CA), and using a protocol such as SSL or IPSec to create a tunnel can prevent these attacks
TCP/IP Hijacking
Allows an attacker to take over an established session between typically a client and a server. TCP uses sequence numbers to synchronize the session between two network nodes, the attacker must predict these sequence numbers and prevent the original client from sending packets that increase the sequence number. The attacker can disconnect the client's established and possibly already authenticated session to the server and attempt to take the client's place by spoofing the legitimate client's address. Telnet, FTP, DNS and other unencrypted protocols are susceptible to TCP/IP hijacking attacks. Implementing encrypted transport protocols such as SSH, SSL, and IPSec can reduce risk.
Replay
An attacker capturing data from the network with a sniffer and retransmitting it for malicious purposes. CHAP and IPSec protect from these attacks due to hash codes.
Mathematical
Breaking the encryption by intercepting large quantities of encrypted information and using mathematical and statistical analysis to find the common factor (the key) or a hole in the encryption algorithm (a backdoor). Involves weak keys and the birthday paradox.
Birthday
Captures hashed passwords from the network media and uses brute force to try out different text strings using the same hashing algorithm to get a matching pair of hash values, referred to as a collision.
Passwords
Minimum password length is 8 characters. Do not use dictionary or other easy guessable words. Limit password login attempts.
Software Exploitation
Misuse of usually known bugs and holes in software. Reduce the risk of software exploitation by keeping software up to date by installing the necessary patches, updates, hot fixes and service packs, hardening. Intrusion Detection Systems (IDS) can be used detect and stop an attack in which the attacker uses a known software exploit.
Social Engineering
Involves an attacker impersonating a seemingly harmless person to deceive company personnel to obtain information. Security policies must be implemented and enforced and employees must be trained to recognize and respond to a social engineering attack.
Dumpster diving
Going through trash bins to search for papers with employee and department names, administration codes, specifics about the companies network environment, and other useful information.
Secure Multipurpose Internet Mail Exchange (S/MIME)
Allows users to encrypt and sign messages
Message Encryption
A symmetric algorithm (DES, 3DES, or in older implementations RC2) is used to encrypt the message data. The recipient of the encrypted message needs the same symmetric key to decrypt the data, so the key needs to be communicated to the recipient in a secure manner. To accomplish that, an asymmetric key algorithm (RSA or Diffie-Hellman) is used to encrypt and securely exchange the symmetric key. The key used for this part of the message encryption process is the recipient's public key. When the recipient receives the encrypted message, he will use his private key to decrypt the symmetric key, which in turn is used to decrypt the message data. Only contents are encrypted.
Digital Signatures
S/MIME offers sender authenticity, non-repudiation, and message integrity by adding a digital signature to a message.⢠When a user sends an encrypted message, the recipient's public key is used to encrypt the message. The recipient's private key is used to decrypt the message. ⢠When a user signs a message, the sender's private key is used to encrypt the message digest. The recipient uses the sender's public key to verify the signature.
Clear signing
The digital signature is added to the message as a separate attachment while the message itself remains in clear text, required when sending a message to an older email client.
Opaque signing
The message and the digital signature are combined into a single binary file.
X.509 Certificates
S/MIME relies on an X.509 certificate Public Key Infrastructure (PKI) for private/pubic key management.
Pretty Good Privacy (PGP)
A freeware (widely available) message encryption system and offers users to choose from several encryption algorithms. A hybrid encryption system: Symmetric key encrypts data and asymmetric encrypts symmetric key.
Remote Access Service (RAS)
Allows remote clients to dial-in and connect and logon to network.
War dialing
Dialing a list of numbers until a modem picks up and then use brute force dictionary attacks to guess valid username and password credentials.
Point-to-point protocol (PPP)
Most widely used RAS protocol and is supported by virtually every network system because it is part of the TCP/IP suite. Operates at the Network layer of the OSI model. Also used for router-to-router connections in WANs. Supports several authentication protocols including MS-CHAP, EAP, the older Password Authentication Protocol (PAP) and (CHAP).
RADIUS (Remote Authentication Dial-In User Service)
Provides authentication to clients that connect to a remote access server by using a SLIP or PPP dialup connection and an authentication protocol such as PAP, CHAP, or EAP. Encrypts the user's password before transmitting it between the access server and the RADIUS server, but other information, including the username and the authorization details in an access accept packet, is transmitted in clear text, solved using LT2P and IPSec.
AAA
Authentication, Authorization, and Accounting
TACACS+ (Terminal Access Controller Access Control System+)
Cisco's enhanced version of TACAC/XTACACS and is developed to provide a more secure alternative to RADIUS. Instead of just encrypting the password as RADIUS does, TACACS+ encrypts the entire access request packet, kept safe from sniffing attacks. Separates the AAA services, allowing it to work with different protocols and technologies per service and uses TCP instead of UDP. However, there is a lack of integrity checking, vulnerability to replay attacks, and weak session keys for packet encryption.
VPN (Virtual Private Network)
A private connection over a public network such as the Internet. A private virtual point-to-point connection, called a tunnel, is created over the Internet between two routers or firewalls.
Site-to-site or LAN-to-LAN VPN
The first main type of VPN is a connection between two networks, used for connecting branch offices of a single organization or for creating an extranet for business partners.
Remote access VPN
Useful for remote and mobile users who need to access the corporate network. Establishes a tunnel to the corporate network after a connection with a local ISP is established.
Tunneling
Encapsulating a packet into another packet. Carrier protocol: IP on the public Internet. Tunneling protocol: PPTP, L2TP, and IPSec. Encapsulated protocol: IP, IPX, NetBEUI and AppleTalk.
PPTP (Point to Point Tunneling Protocol)
A tunneling protocol created by Microsoft. It is an extension of PPP and encapsulates PPP packets to transfer them through a tunnel over a public IP network. PTP itself does not provide any real security; no encryption of encapsulated packets, it merely tunnels (encapsulates) them. PPTP operates at the Data-Link layer of the OSI-model and uses TCP port 1723. Relies on the authentication protocols in PPP, such as MS-CHAP, and a protocol called Microsoft Point-to-Point Encryption (MPPE) to provide actual data encryption using a 40-bits or 128-bits RC4 cipher.
L2TP (Layer Two Tunneling Protocol)
An IETF standard developed to replace PPTP and is the result of combining the technology of Microsoft's PPTP with Cisco's Layer 2 Forwarding (L2F) tunneling protocol. In addition to IP networks, L2TP supports tunneling through various other types of point-to-point networks including Frame Relay, X.25, and ATM. L2TP operates at the Data-Link layer of the OSI-model and uses UDP port 1701. L2TP does not actually encrypt data, nor does it authenticate individual messages, relies on IPSec, authenticated and encrypted at the Network Layer.
IPSec (Internet Protocol Security)
A popular and complete encryption framework for IP networks that provides end-to-end security at the Network layer. It provides data confidentiality, data integrity, and authentication of data origin. Used in conjunction with tunneling protocols to offer a higher level of security in VPNs. Transparent to the user and can be easily implemented because most modern operating systems and network devices support it natively.
Authentication Header (AH)
Provides integrity and data origin authentication of IP packets by using a hashing algorithm (MD5 or SHA-1) and a shared secret (symmetric key) to calculate a message digest, also known as integrity check value. Provides authentication and integrity, but not confidentiality. AH uses IP protocol ID 51.
Encapsulating Security Payload (ESP)
For the actual encryption, the symmetric key exchanged earlier is used with the DES or 3DES algorithm. ESP use IP protocol ID 50.
Transport Mode (IPSec)
Only the payload of an IP packet is protected
Tunnel Mode (IPSec)
The payload and the header are protected. -AH in Transport Mode - Provides integrity and data origin authentication for only the payload of an IP packet.- AH in Tunnel Mode - Provides integrity and data origin authentication for the entire IP packet including the header.- ESP in Transport Mode - Provides confidentiality for only the payload of an IP packet.- ESP in Tunnel Mode - Provides confidentiality for the entire IP packet including the header.
Internet Key Exchange (IKE) protocol
Standard key exchange protocol for IPSec. Consists of the Internet Security Association and Key Management Protocol (ISAKMP) and the OAKLEY protocol. IKE uses UDP port 500.
Internet Security Association and Key Management Protocol (ISAKMP)
ISAKMP defines the procedures for peer authentication, the SA handshake process, and algorithms and key sizes.
OAKLEY protocol
The OAKLEY protocol performs the actual key negotiation by using yet another protocol, the Diffie-Hellman protocol.
SSH (Secure Shell)
A more secure alternative to remote connectivity protocols such as Telnet, rlogin, rsh, and FTP. A secure tunnel can be established between a client and a server, through which all traffic including authentication information can be transmitted in an encrypted form (TCP port 22).
802.1x
The IEEE 802.1x protocol provides authenticated access to wired Ethernet networks and wireless 802.11 networks. It allows for port-based access control at the Data Link layer (layer 2) for clients connected to switches and wireless access points. 802.1x is also known as EAPOL (EAP over LANs) as it employs the Extensible Authentication Protocol (EAP), useful for providing dynamic key management for WEP keys.
Intranet
A small private piece of 'Internet' that is accessible only to users within the organization. An Intranet is a web server running a website or web application and is accessible only to users with a web browser in the company's LAN or WAN, or uses separate servers for backend operations, such as database servers.
Extranet
Similar to an Intranet, but is accessible by two or more parties. When two companies/partners need to communicate and collaborate a lot, they connect their networks together. Firewalls at the entrance points ensure the extranet serves as a buffer between the two companies, and prevent direct access between their networks while allowing them to collaborate and share information in a secure manner.
Secure Sockets Layer (SSL)
A protocol developed by Netscape to allow for secure HTTP communication. Symmetric encryption to secure a session between a client and a server, and asymmetric encryption to authenticate the server to the client. SSL employs three types of encryption algorithms: asymmetric encryption (i.e. RSA) to provide authentication, symmetric encryption (i.e. RC2, RC4, DES, 3DES) to provide confidentiality, and hashing (i.e. MD5, SHA) to provide integrity. IPSec protects any IP connection and SSL can only be used if the application supports it, such as a web browser and web server software.
SSL handshake protocol
The authentication and key exchange process. These protocols operate between the Application and Transport layer of the OSI model (port 443)
Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)
Authentication of the server, the data transmitted over an HTTPS connection is encrypted and confidential (port 443).
Secure Hypertext Transfer Protocol (S-HTTP)
An extension to HTTP and is designed by the EIT to secure HTTP connections. Formatted like normal HTTP messages and uses different algorithms and key infrastructures such as Kerberos and RSA PKI, to provide confidentiality, mutual authentication, and integrity services. Not widely used.
Transport Layer Security (TLS)
Standardized by the IETF to eplace SSL. Based on SSL 3.0 and provides very similar services for standard Internet protocols such as HTTP, LDAP, and SMTP. Employs symmetric encryption to provide confidentiality/privacy, hash algorithms for data integrity, and asymmetric encryption for authentication. TLS is more flexible than SSL in that it supports additional cryptosystems, and other key exchange methods in addition to the handshake process.
FTP (File Transfer Protocol)
One of the most popular protocols from the TCP/IP suite. Allows files to be transferred between different platforms, but in a very insecure manner. It transmits authentication information, the username and password, in clear text format over the network. Uses port 20 and 21.
Blind FTP
Allows a user to download files only if he or she knows the exact path and file name - the user will not be able to browse to the directory structure nor list directory contents.
Anonymous access
Users will be able to login without providing a password, or by using any email address as the password. No username or password transmitted that might result in damage if they would fall into the wrong hands.
S/FTP (Secure File Transfer Protocol)
Allows you to implement the same functionality as regular FTP, but much more secure. SFTP is basically FTP over SSH (Secure Shell), hence provide the same level of security as SSH. Allows mutual authentication based on digital certificates, and establishing a tunnel between the client and the server through which data is transmitted in an encrypted form. Same port as SSH (22).
Secure Copy Protocol (SCP)
SCP is the secure counterpart of the Remote Copy Protocol (RCP), and provides secure file transfer using SSH.
Instant Messaging
Real-time correspondence between two or more online users. Opens listening ports on the computer, hence makes it vulnerable to network attacks and software exploits.
Cookies
A text file that a website stores on the local computer to maintain information about a visitor's session. First-party , which are cookies from the same domain as the website you are viewing, and third-party, which originate from another domain and are used to provide third-party dynamic content.
Java Script
A scripting language developed by Netscape. It allows code to be embedded in HTML pages to add expanded functionality to websites. Java Script is a client-side scripting language, which means the code is compiled and executed on the local client. This makes it vulnerable to being abused for running malicious code on the client as well as access to local files and browser info.
Java
An object-oriented programming language developed by Sun Microsystems. It is platform-independent, which makes it suitable for writing Internet applications. These Java Internet applications are called applets and run on every system that has a Java Virtual Machine installed.
Sandbox
Provides security for running applets by executing them in a sandbox, a restricted virtual area that defines the boundaries for third-party code, such as Java applets, to restrict access to system resources and data.
ActiveX
A Microsoft technology that allows reusable software components to interact with each other in networks. Popular with viruses, Trojan Horses, spyware, and other malicious code due to lack of security.
ActiveX controls
Used to add Windows functionality and interactivity to web pages. ActiveX controls can be written and interoperate with several different programming languages. They are executed on the client as regular Windows software, and unlike Java applets, ActiveX components do not run in a restricted sandbox. Should always be digitally signed to allow users to verify where the control came from and that it has not been tampered with since it was signed.
Authenticode
Microsoft standard for signing files and applications including ActiveX controls and works with X.509 certificates and digital signatures.
CGI (Common Gateway Interface)
An interface that allows communication between websites and applications such as Perl scripts and C applications. Application requires execute permissions on the web server. Vulnerable to malformed input, results in unauthorized access to non-public areas on the web server's file system, damage to data, and buffer overflows and may lead to leaking of sensitive information.
Buffer Overflows
When a process fills up the allocated buffer, it may leak out of its boundaries into another buffer causing a buffer overflow. Used to create a denial of service situation by crashing a target system. Careless programming is result for many buffer overflows.
Malicious Code
Malware, which can damage or alter data and programs on a system without permission and notice of the user.
Viruses
It can infect systems by attaching itself to files and programs. A program that needs to be executed by a user before it can do any damage. Use anti-virus for security.
Worms
A worm doesn't need to attach itself to a file or program to be reproduced and executed as a virus does. A worm is self-contained, it can replicate itself and infect entire networks. Use anti-virus for security.
Logic Bombs
A smart piece of malicious code that executes only when certain conditions are met.
Simple Network Management Protocol (SNMP)
An application layer protocol that is used to monitor, and gather information about, network systems and devices. SNMP uses UDP port 161 and 162. The info SNMP provides can be valuable to an attacker, outgoing SNMP traffic should be blocked at border routers or firewalls. Besides passively monitoring, SNMP can also be used to configure network devices by using SNMP write commands.
Firewalls
A hardware device or software application on a computer that protects private networks from unauthorized external intruders. A firewall filters both inbound and outbound traffic by checking if it meets certain criteria. The most common firewall operates at the Network layer and is known as a packet filter. Packet filtering firewalls inspect only the header of packets
Application layer firewalls
Inspects traffic all the way up to layer 7 of the OSI model. This means they do not only inspect the header of a packet, but also the data payload, allowing you to set criteria for applications without allowing or denying them entirely.
Circuit-level firewall
Operates on the Transport layer of the OSI model. This firewall checks if the TCP and UDP messages used to establish a connection meet certain criteria. Once a connection is established (i.e. the TCP handshake completed successfully), traffic can pass the firewall without further checking.
Stateful firewalls
Stateful firewall is aware of the connections and knows when they started and when they end. The most secure and most expensive firewall.
Demilitarized zone (DMZ)
The hosts in the DMZ are typically web servers, e-mail servers, and the alike, and are accessible for both internal and external users. This allows user on the Internet to access the servers without accessing the organization's internal network.
Screened firewall
Involves two firewalls of which the screening host is often a simple packet filter and the screened host a more advanced firewall. The packet filter blocks the majority of invalid traffic and provides access to the servers in the DMZ, alleviating the workload for the screened firewall.
Routers
Used to interconnect multiple (sub)networks and route information between these networks by choosing an optimal path (route) to the destination. They operate on the Network layer (Layer 3) of the OSI model and in contradiction to hubs, bridges, and switches, routers are protocol-aware. Common use of routers is connecting two different types of networks (for example Ethernet and Frame Relay) or to interconnect LANs into a WAN. Routers make forwarding decisions based on a table with network addresses and their corresponding ports; this table is known as the routing table. Offers a built-in packet filter that can be used to allow and deny addresses, address ranges, and ports.
Routing protocols
RIP, OSPF, and BGP, to exchange route table information with other routers in the internetwork.
NAT (Network Address Translation)
Translates public IP addresses to private and vice versa and is configured on access routers and firewalls that connect home and office networks to the Internet. These networks use IP addresses from the private address ranges and cannot have a routed connection to the Internet. NAT translates network addresses, operating at the Network layer (Layer 3) of the OSI model.
Dynamic NAT
The router maintains a list of internal addresses and a list of external addresses that are dynamically mapped to each other.
Static NAT
Contains static entries that maps public address to local addresses. Static NAT entries are typically used when a web or mail server resides on the internal LAN. A NAT router is typically also a DCHP server and DNS Proxy for its internal clients.
Port Address Translation (PAT)
A single external address can be used by changing the source port, which is part of the complete address known as the socket (the combination of an IP address and a port number).
Switches
Breaks up networks into smaller segments to improve network performance. A switch is a combination of a bridge and a hub. It maintains a table with MAC addresses per port to make switching decisions, operates at the Data Link layer (layer 2) of the OSI model, and is protocol transparent. Unused ports should be disabled in the configuration of the device, and enabled ports should use 802.1x port-based authentication.
VLANs (Virtual Local Area Network)
Logical groups of network devices of which the members can be located in different physical segments. A VLAN can be based on Port IDs, MAC addresses, protocols or applications even. The primary advantages of VLANs are scalability, because members of a VLAN can be miles apart and still act as a single physical LAN, and manageability, because members can be relocated easily to a different VLAN without having to change the physical connection. A third benefit of VLANs is security , because each VLAN acts as a separate LAN and uses a different IP (sub)network. This means that members from one VLAN cannot communicate with members in another VLAN unless a router is used to route traffic between the VLANs.
Telecom / PBX (Private Branch Exchange)
A PBX is a switch that allows companies to interconnect different telephone devices and services such as voice, pagers, SMS, voicemail, and data. Vulnerable to eavesdropping, voicemail listening, tampering with SMS messaging, unauthorized remote administrative access.
Network Cabling
Physical damage - Damage can be caused by accident or on purpose.Tapping - Physically tapping a device into a network would allow an attacker to perform all sorts of network attacks including sniffing.Electromagneticinterference (EMI) - Electrical equipment and cabling near the cable can produce an electromagnetic field that interferes with the signal on copper wires.Crosstalk - Electrical signals leaking though the cable shielding or enclosure can interfere with other nearby cables and vice versa.
Coaxial
Used primarily in the older 10Base2 and 10Base5 Ethernet networks. Physically strong and rigid and provides relatively good shielding against EMI and crosstalk. Fairly easy to tap in a rogue network device by piercing the cable with a vampire tap or cutting the cable and inserting a T-connector.
Unshielded Twisted Pair (UTP)
Cheap and it is flexible. Provides very little protection to physical damage and EMI because it does not have proper shielding. It is also fairly easy to tap into an existing connection by splitting the cable wires.
Shielded Twisted Pair (STP)
Has an additional layer of metal shielding enclosing the inner wires. This provides better protection against EMI and makes it physically stronger, while remaining flexible. Tapping into an STP connection is just as easy as with UTP.
Fiber Optics
Allows for the longest distances and highest transmission speeds, and is the most secure type of network cabling. Not susceptible to EMI and crosstalk, and it is difficult to physically tap into a connection, but it is physically weak.
Diskettes/Floppy Disks
Highly vulnerable to damage by magnetic fields and the environment. Unsuitable for storing and archiving data compared to today's alternative removable media. The best defense against such malicious activity is to ban floppy disk drives from client systems entirely.
Tapes
Fast and can hold the data of many systems in a network combined. Servers are equipped with tape devices and Tapes are susceptible to environmental and magnetic damage. Backup tapes store all of the essential data that is required to continue operations in case of a disaster.
802.11
IEEE 802.11 standard defines the MAC and Physical layer specifications for Wireless LANs. The Physical layer specifications in 802.11 define standards for three different radio technologies: DSSS, FHSS, and IR (InfraRed). The data rates supported by the 802.11 standard are 1 and 2 Mbps. 802.11 uses the 2.4 GHz frequency band.
802.11b
802.11b provides data rates of 5.5 and 11Mbps, and is backwards compatible with the 1 and 2 Mbps data rates of 802.11 and uses the 2.4 GHz frequency band.
802.11a
802.11a standard increases the maximum data throughput to 54 Mbps. However, 802.11a is not compatible with 802.11, 802.11b, or 802.11g because it uses the 5 GHz frequency band. 802.11a also uses a different modulation scheme (OFDM) than 802.11 and 802.11b.
802.11g
802.11g standard also allows data transfer rates up to 54 Mbps, but is backward-compatible with with both 802.11 and 802.11b, supporting both their data rates (1, 2, 5.5, and 11) and modulation scheme (QPSK). 802.11g also supports the modulation scheme used by 802.11a (OFDM), but is not compatible with 802.11a because 802.11g uses the 2.4 GHz frequency band.
802.11x
used to refer to the entire group of 802.11 WLAN standards
WEP (Wired Equivalent Privacy)
Developed to increase wireless LAN security. WEP is an effort to provide privacy in wireless networks similar to privacy in wired networks. When WEP data encryption is enabled, secret shared encryption keys are generated. WEP uses an RC4 cipher and a 64 or 128-bits WEP key to encrypt the data payload of frames. This WEP key is a combination of a 24-bit initialization vector (IV) and a 40 or 104-bits secret key.
Open System Authentication
The client broadcasts its MAC address to identify itself, an AP replies with an authentication verification frame. Although its name implies differently, no actual authentication occurs when Open System Authentication is used.
Shared Key Authentication
The client will be authenticated only if it is configured with a preshared key. This means that the same key must be configured on both the client station and the AP. The AP sends a challenge text to the client requesting authentication, which is encrypted using WEP and the shared key at the client and send back to the AP where it is decrypted again to see if it matches the original challenge.
WEP disadvantages
WEP offers rather weak protection is that the IV is also exchanged in clear-text. The 802.11 standard does not provide dynamic key management and key renewal.
WEP2
Supports the use of 802.1X authentication protocol, an improved key distribution system and stronger encryption by using AES (Advanced Encryption Standard) instead of RC4.
WAP (Wireless Application Protocol)
A protocol developed for use with wireless devices such as mobile phones and PDAs. These devices have a so called microbrowser allowing them to display WML (Wireless Markup Language) pages, more limited than HTML. Client connects to a WAP gateway that is responsible for encoding and decoding requests from the client and responses from the server.
WTLS (Wireless Transport Layer Security)
Provides privacy, data integrity and authentication security services between a mobile device and a WAP gateway. It is used for establishing an encrypted connection preventing data from being tampered with or forged without the two parties becoming aware of it. It is also used for providing authentication services by using digital certificates. WTLS is based upon the Transport Layer Security (TLS) protocol, which is in turn derived from the Secure Sockets Layer (SSL) protocol. WTLS is optimized for use with narrow-band low speed connections and low memory devices. It also supports dynamic key refreshing ensuring the session key used to encrypt the data is updated frequently.
Site Surveys
An attack where an attacker gathers information about your wireless network, while a site survey will usually be conducted by the people responsible for designing or maintaining the network. A site survey is an analysis of the network and its environment.
Wireless Networks Vulnerabilities
Wireless networks are particularly vulnerable to man-in-the-middle attacks for the same reasons that make eavesdropping so easy. War driving refers to driving around with a powerful antenna on the car, connected to a notebook and use a wireless sniffer, such as NetStumbler, to listen for wireless network traffic. Jamming is a type of DoS attack whereby a the attacker uses an RF signal generator to cause an unusually high noise level effectively disabling the use of an access point. Bluetooth devices by their nature can effectively jam 802.11 networks.
Intrusion Detection System (IDS)
Monitors and analyzes traffic on a network or activity on a system in an attempt to detect malicious activity. Logs the event, stores relevant data/traffic, notifies an administrator, and in some cases it will try to intervene.
Passive Response IDS
Merely logging the intrusion and notify someone, by email or pager.
Active Response IDS
Automatically taking action in response to a detected intrusion.
Host-based IDS
A software application installed on a system and monitors activity only on that local system. It communicates directly with the operating system and has no knowledge of low-level network traffic. Most host-based IDSs rely on information from audit and system log files to detect intrusions.
Network-based IDS
A dedicated hardware appliance, or an application running on a computer, attached to the network. It monitors all traffic in a network or coming thru an entry-point such as an Internet connection. Runs in promiscuous mode, picking up all traffic from the media even if the destination address is not the IDS.
Signature-based IDS
A rule-based, knowledge-based, or misuse-detection IDS. It employs a database with signatures to identify possible attacks and malicious activity, describe known attack patterns.
Behavior-based intrusion detection
Anomaly-based or statistical-based intrusion detection. As theses names imply, a behavior-based IDS monitors traffic and system activity for unusual behavior - anomalies based on statistics. Dynamically adapts to new vulnerabilities, but usually produces a high number of false alarms.
Limitations and drawbacks of IDSystems
When an IDS incorrectly identifies an activity as a possible intrusion it will results in a false alarm, a false positive. A network-based IDS may not always be able to pick up and process all data in busy networks. Another challenge for a network-based IDS is encrypted data; most are able to inspect compressed data, but encrypted data remains an obstacle simply because the IDS does not have access to the keys of every devices in the network. They should be used to complement a firewall. They also have bugs/exploits.
Honey Pots
A decoy that lures attackers away from production systems. It's usually a computer attached to the network that runs special software to emulate services, applications, protocols.
Piggybacking
Pretending to be accompanying another person or group entering the building.
Asset identification
The first step towards a secure organization. Assets include the building and everything in and around it; anything that is part of the organization. This includes information systems and data, but also paper archives and human beings. What you need to protect.
Vulnerability assessment
A vulnerability assessment should be performed to identify the vulnerabilities of the assets.
Threat identification
Anything that can tamper with the confidentiality, integrity, and availability of information systems is considered a threat. Confidentiality is all about keeping information secret and available only to authorized individuals. Integrity concerns the trustworthiness of information by ensuring information is not tampered with by unauthorized individuals. Availability - keeping systems, services, and data available to legitimate users.
Risk identification
The most difficult part of this entire process is risk identification. A risk is the likeliness of a threat actually leading to an incident.Single Loss Expectancy (SLE) = asset value x Exposure Factor (EF)Annualized Loss Expectancy (ALE) = SLE x Annualized Rate of Occurrence (ARO)
Directory Harvest Attack
A technique used by spammers in an attempt to find valid/existent e-mail addresses at a domain by using brute force.
CRAM-MD5
A challenge-response authentication mechanism (CRAM) based on the HMAC-MD5 algorithm. As one of the mechanisms supported by the Simple Authentication and Security Layer (SASL), it is often used in email software as part of SMTP Authentication and for the authentication of POP and IMAP users, as well as in applications implementing LDAP, XMPP, BEEP, and other protocols.