Explaining Network security concepts

Question 1

What is the CIA triad?

Answer 1

Confidentiality: Means that certain information should only be known to certain people.

Integrity: Means that the data is stored and transferred as intended and that any modification is authorized.

Availability: Means that information is accessible to those authorized to view or modify it.

Question 2

What is a Vulnerability?

Answer 2

A weakness that could be accidentally triggered or intentionally exploited to cause a security breach.

Question 3

What is a Threat?

Answer 3

The potential for someone or something to exploit a vulnerability and breach security.
Can be intentional or unintentional.
The person or thing that poses the threat is called a threat actor or threat agent.
The path or tool used by a malicious threat actor can be referred to as the attack vector.

Question 4

What is Risk?

Answer 4

The likelihood and impact (or consequence) of a threat actor exercising a vulnerability.

Risk = Vulnerability + Threat

Question 5

What is it called when you make a system more secure?

Answer 5

hardening.

Question 6

What is Risk Management?

Answer 6

A process for identifying, assessing and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers.

Most companies will institute enterprise risk management (ERM) policies and procedures, based on published frameworks.

Question 7

What is Risk Assesment?

Answer 7

A subset of risk management where the company’s systems and procedures are audited for risk factors.

Separate assessments can be devised to perform an initial evaluation and ongoing monitoring of threats, vulnerabilities, and security posture.

Question 8

What is Posture assesment?

Answer 8

An audit process and tools for verifying compliance with a compliance framework or configuration baseline.
Can be used to assess the organization’s maturity level in its use of security policies and controls.

Question 9

What is a IT service framework?

Answer 9

A framework to provide best practice guides to implementing IT and cybersecurity.
These frameworks can shape company policies and provide checklists of procedures, activities, and technologies that should ideally be in place.

Question 10

What is the purpose of a security control?

Answer 10

Designed to give a system or data asset the properties of confidentiality, integrity, availability, and non-repudiation.

NOTE: Can be expensive.

Question 11

What is a MEF?

Answer 11

Mission Essential Function.
Business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all.
If there is a service disruption this must be restored first.

Question 12

What is a BIA?

Answer 12

Business Impact Analysis.
A systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.

Question 13

What does regulatory compliance do?

Answer 13

Imposes externally determined requirements on companies in certain industries or when processing certain types of data.
These regulations might dictate the type of controls that must be deployed, and the type and frequency of audits.

Question 14

What is PII?

Answer 14

Personal Identifiable Information.
Data that can be used to identify, contact, locate, or describe an individual.
ex. SSN, name, DOB, biometric data etc.

International, national, and state legislation can impose regulations on the collection and processing of personal data.

Question 15

What is GDPR?

Answer 15

General Data Protection Regulation.
A privacy legislation that governs the collection and processing of PII.
GDPR means that personal data cannot be collected, processed, or retained without the individual’s informed consent unless there are other overriding considerations, such as public interest or other legal obligations.
Protects the data of EU citizens.
Gives data subjects the right to withdraw consent.
Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US’s Privacy Shield requirements.

Question 16

What is data Sovereignty?

Answer 16

The principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.

Question 17

What is data locallity?

Answer 17

It establishes storage and processing boundaries based on national or state borders.
Most cloud storage and processing solutions offer data locality tools.

ex. if a healthcare database is hosted in the cloud, data locality could be configured to prevent an administrator from replicating it to any datacenter outside the United States.

Question 18

What is PCI DSS?

Answer 18

Payment Card Industry Data Security Standard.
This is the information security standard for organizations that process credit or bank card payments.
Organizations that directly processes credit card transactions must adopt the PCI DSS standard to safeguard the cardholder data environment (CDE).

Question 19

What does access control govern?

Answer 19

How subjects interact with objects.
Subjects= people, devices, software processes, or any other system that can request and be granted access to a resource.
Objects= the resources. Can be a network, server, database, app, or file.
Subjects are assigned rights or permissions on resources.

Question 20

What are the 2 main types of cryptographic cipher or algorithm?

Answer 20

Encryption Algorithm: Converts plaintext to ciphertext. The ciphertext must be decrypted using a key linked to the initial encryption process before it can be read.

Cryptographic Hash Algorithm: converts a variable length string into a fixed-length hash. This hash cannot be converted back to a plaintext. This can prove the integrity of data by verifying it hasn’t been modified.

Question 21

What is an exploit?

Answer 21

A specific method by which malware code infects a target host, often via some vulnerability in a software process. Also called exploit technique.

Question 22

What is a Vulnerability Assessment?

Answer 22

An evaluation of a system’s security and ability to meet compliance requirements based on the configuration state of the system.
Also called vulnerability testing.

Question 23

What are deception and disruption technologies?

Answer 23

Powerful cybersecurity resilience tools that significantly increase the attacker’s cognitive load and resource expenditure by forcing them to constantly adapt their tactics, techniques, and procedures (TTPs).

Question 24

What is a honeypot?

Answer 24

A decoy computer system designed to attract attackers.
By analyzing their attack strategies and tools, honeypots provide early warning of attack attempts and valuable insights into attacker behavior.
A host (honeypot), network (honeynet), file (honeyfile), or credential/token (honeytoken) set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration.

A honeypot or honeynet is more likely to be located in a protected but untrusted area between the Internet and the private network or on a closely monitored and filtered segment within the private network itself.

Question 25

What is threat research?

Answer 25

A counterintelligence gathering effort in which security companies and researchers attempt to discover the tactics, techniques, and procedures (TTPs) of threat actors.

Question 26

What are the 3 forms information from threat research can take?

Answer 26

Behavioral threat research: Narrative commentary describing examples of attacks and TTPs gathered through primary research sources. Reputational threat intelligence: Lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware. Threat data: Computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators.

Question 27

What is TTP?

Answer 27

Tactics, Techniques, and Procedures.

Question 28

What are foot printing and fingerprinting attacks?

Answer 28

Footprinting: Allows a threat actor to discover the topology and general configuration of the network and security systems. Fingerprinting: Allows a threat actor to identify device and OS types and versions. Both are enumeration or information gathering attacks.

Question 29

What are spoofing attacks?

Answer 29

Covers a wide range of attacks but generally it is a attack technique where the threat actor disguises his or her identity or impersonates another user or resource. ex. phishing and pharming

Question 30

What is pharming?

Answer 30

They secretly redirect users from legit websites, to fake attacker controlled websites.

Question 31

What is a DRDoS/amplification attack?

Answer 31

Distributed reflection DoS In this attack, the adversary spoofs the victim's IP address and attempts to open connections with multiple servers. Those servers direct their SYN/ACK responses to the victim server. This rapidly consumes the victim's available bandwidth.

Question 32

What are botnets?

Answer 32

A group of hosts or devices that has been infected by a control program called a bot, which enables attackers to exploit the hosts to mount attacks. Also referred to as a zombie. A threat actor will first compromise one or two machines to use as handlers or herders. The handlers are used to compromise hundreds, thousands, or even millions of zombie hosts and install DDoS tools on them.

Question 33

What is the network established between the handlers and bots called in a botnet?

Answer 33

command and control (C2 or C&C) network.

Question 34

What are PUPs and PUAs?

Answer 34

Potentially unwanted programs and Potentially unwanted applications. Software installed alongside a package selected by the user or perhaps bundled with a new computer system. It is not automatically regarded as malicious. It may have been installed without active consent or consent from a purposefully confusing license agreement. Sometimes described as grayware.

Question 35

What is a payload?

Answer 35

An action performed by the malware other than simply replicating or persisting on a host. ex. Spyware, rootkit, remote access Trojan (RAT) or backdoor, and ransomware.

Question 36

What is "Fileless" malware, what does it do?

Answer 36

Fileless is not a definitive classification, but it describes a collection of common behaviors and techniques: -It doesn't not write its code to disk. The malware uses memory-resident techniques to run in its own process, within a host process or dynamic link library (DLL), or within a scripting host. -Uses lightweight shellcode to achieve a backdoor mechanism on the host. The shellcode is easy to recompile in an obfuscated form to evade detection by scanners. -May use "live off the land" techniques rather than compiled executables to evade detection. Meaning the malware code uses legitimate system scripting tools, notably PowerShell and Windows Management Instrumentation (WMI), to execute payload actions. Can be classified as a APT, AVT or a low-observable characteristics (LOC) attack.

Question 37

What is APT and AVT?

Answer 37

advanced persistent threat and advanced volatile threat. Is an attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware Can be used to describe this general class of modern fileless/live off the land malware.

Question 38

What is a on path attack?

Answer 38

A specific type of spoofing attack where a threat actor compromises the connection between two hosts and transparently intercepts and relays all communications between them. The threat actor might also have the opportunity to modify the traffic before relaying it.

Question 39

What is ARP spoofing and ARP poisoning?

Answer 39

ARP spoofing: Is the act of sending out false ARP messages (unsolicited ARP replies) to a local network. These messages are designed to associate the attacker's MAC address with the IP address of another host, such as the default gateway. ARP Poisoning: Is the result of ARP spoofing. It describes the corrupted state of the ARP cache, where devices on the network have been tricked into sending data to the wrong MAC address. These attacks are directed at hosts.

Question 40

What is MAC flooding?

Answer 40

A variation of an ARP poisoning attack where a switch's cache table is inundated (overwhelmed) with frames from random source MAC addresses. The intention of the attack is to exhaust the memory used to store the switches MAC address table. Once the table is overwhelmed it can cause the switch to flood unicast traffic (goes into fail open mode.) out of all ports (like a hub), making sniffing network traffic easier for the threat actor.

Question 41

What is VLAN hopping?

Answer 41

An attack designed to send traffic to a VLAN other than the one the host system is in. This exploits the default VLAN feature of 802.1Q Such an attack can only send packets one way but could be used to perform a DoS attack against a host on a different VLAN. A VLAN hopping attack can also be launched by attaching a device that spoofs the operation of a switch to the network and negotiating the creation of a trunk port. As a trunk port, the attacker's device will receive all inter-VLAN traffic.

Question 42

What is a STP manipulation attack?

Answer 42

The attacker inserts their switch into the tree and manipulates it to appoint their switch as the root bridge. By doing this, they can use a sniffer to collect data traversing the network.

Question 43

What is MAC does MAC spoofing do?

Answer 43

Involves changing the Media Access Control (MAC) address of a device's network interface to a different value. This can be done for various reasons, including impersonating another device on the network.

Question 44

What are rouge devices and services?

Answer 44

A device or service on your network that isn't under the administrative control of the network staff is called rouge. Rogue devices and services are often completely malicious. Most network hardware and services can be exploited through rouges. Rogue devices and services could include wireless access point, DHCP servers, DNS servers etc. They exist for the sole purpose of stealing sensitive information such as credit card numbers and passwords.

Question 45

What is Shadow IT?

Answer 45

Where users purchase or introduce computer hardware or software to the workplace without the sanction of the IT department and without going through a procurement and security analysis process.

Question 46

What is zeroconf?

Answer 46

A standards-based approach to technologies that allows hosts to obtain a usable network configuration and discover services automatically and without the use of DHCP or DNS server infrastructure.

Question 47

What is a rouge DHCP ?

Answer 47

Can be deployed accidentally (forgetting to disable a DHCP server in an access point or router, for instance) or on purpose to be used by a malicious threat actor to subvert the network. Clients could end up with an incorrect IP configuration because they have obtained a lease from a rogue server. This is a means of using DHCP to facilitate an on-path attack.

Question 48

What is a DHCP starvation attack?

Answer 48

An attack that uses bogus requests to use up leases in a legitimate DHCP server's address pool. An exhausted DHCP scope means legitimate hosts cannot obtain a lease so legitimate hosts are forced to obtain a lease from a rouge DHCP server. NOTE: A DHCP starvation attack might be a denial of service (DoS) mechanism.

Question 49

What is DNS Client Cache Poisoning?

Answer 49

If an attacker is able to place a false name:IP address mapping in the HOSTS file and effectively poison the DNS cache, they will be able to redirect traffic.

Question 50

What are HOSTS files?

Answer 50

Name resolution using a text file named HOSTS, was used before DNS was developed. Even though most name resolution now functions through DNS, the HOSTS file is still present and most operating systems check the HOSTS file before using DNS Requires administrator access to modify. In UNIX and Linux systems it is stored as /etc/hosts In Windows it is placed in: %SystemRoot%\System32\Drivers\etc\hosts

Question 51

What is DNS Server Cache Poinsoning?

Answer 51

Aims to corrupt the records held by the DNS server itself. An attack method for DNS Server Cache Poisoning is gettign the victim name server to respond to a recurisve query from the attacking host. A recursive query compels the DNS server to query the authoritative server for the answer on behalf of the client. The attacker's DNS, masquerades as the authoritative name server, responds with the answer to the query, but also includes a lot of false domain:IP mappings for other domains that the victim DNS accepts as genuine. Use the nslookup or dig tool to query the name records and cached records held by a server to discover whether any false records have been inserted.

Question 52

What is a common indicator of a compromised machine in the context of DNS attacks?

Answer 52

The presence of unexpected or malicious entries in the HOSTS file can indicate that a machine has been compromised, especially in the context of DNS attacks. These entries can redirect traffic to unintended or malicious sites, bypassing normal DNS resolution processes.

Question 53

What does Nmap use to determine whether a host is present when used without switches?

Answer 53

When used without switches, Nmap's default behavior is to ping and send a TCP ACK packet to ports 80 and 443 to determine whether a host is present, which is a basic method for host discovery.