Networking Essentials Lesson 19: Applying Network Hardening Techniques

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/38

flashcard set

Earn XP

Description and Tags

Applying Network Hardening Techniques Objectives: - Compare and contrast types of attacks - Apply network hardening techniques

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

39 Terms

1
New cards

General Attack Types

  • Understanding attacker types and their motivations

  • Footprinting and fingerprinting

    • Discover how the network and its security systems are configured

    • Enumeration: Attack that aims to list resources on the network, host, or system as a whole to identify potential targets for further attack.

    • Information gathering attacks

  • Spoofing

    • Any type of attack where the attacker disguises his or her identity

    • Things like phishing and pharming

  • Denial of Service Attacks (DoS)

    • Any attack that causes a service to become unavailable to users

    • May be purely destructive or may allow attacker to spoof the legitimate service

2
New cards

On-path Attacks

  • Threat actor intercepts communication
    path

    • “Man-in-the-Middle (MitM)”

    • Where a threat actor compromises the connections between two hosts and transparently intercepts and relays all communications between them.

  • MAC spoofing and IP spoofing

    • Arbitrarily change address value in packet

    • Try and circumvent an ACL (access control list) or impersonate a legitimate server

  • ARP spoofing

    • Broadcast unsolicited/gratuitous ARP
      replies

    • Because ARP has no security, all devices in the same broadcast domain as the rogue host trust this communication and update their MAC:IP address cache table with the spoofed address.

    • Masquerade as MAC address of default gateway

      • If the attack is successful, all traffic destined for remote networks will be sent to the attacker

    • Because the threat actor broadcasts endless ARP replies, it overwhelms the legitimate interface.

  • Rogue DHCP

    • Configure clients with malicious default gateway/DNS server IP

    • DHCP communications cannot be authenticated, so a host will generally trust the first offer packet that it receives.

    • Threat actor can take advantage of this to set their machine to the subnet’s default gateway of DNS resolver.

<ul><li><p>Threat actor intercepts communication<br>path</p><ul><li><p>“Man-in-the-Middle (MitM)”</p></li><li><p>Where a threat actor compromises the connections between two hosts and transparently intercepts and relays all communications between them. </p></li></ul></li><li><p>MAC spoofing and IP spoofing</p><ul><li><p>Arbitrarily change address value in packet</p></li><li><p>Try and circumvent an ACL (access control list) or impersonate a legitimate server</p></li></ul></li><li><p>ARP spoofing</p><ul><li><p>Broadcast unsolicited/gratuitous ARP<br>replies</p></li><li><p>Because ARP has no security, all devices in the same broadcast domain as the rogue host trust this communication and update their MAC:IP address cache table with the spoofed address. </p></li><li><p>Masquerade as MAC address of default gateway</p><ul><li><p>If the attack is successful, all traffic destined for remote networks will be sent to the attacker</p></li></ul></li><li><p>Because the threat actor broadcasts endless ARP replies, it overwhelms the legitimate interface. </p></li></ul></li><li><p>Rogue DHCP</p><ul><li><p>Configure clients with malicious default gateway/DNS server IP</p></li><li><p>DHCP communications cannot be authenticated, so a host will generally trust the first offer packet that it receives. </p></li><li><p>Threat actor can take advantage of this to set their machine to the subnet’s default gateway of DNS resolver. </p></li></ul></li></ul>
3
New cards

DNS Poisoning Attacks

  • DNS poisoning: Attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker's choosing.

  • Spoofing trusted hosts/sites
    (pharming)

    • The attacker can then intercept all the packets directed to mybank.example and bounce them to the real site, leaving the victim unaware of what is happening (referred to as pharming).

  • Denial of Service (DoS)

    • Directing all traffic for a particular FQDN to an invalid IP address (a black hole)

  • Client-side attacks (corrupting the client’s name resolution process)

    • Change/intercept resolver traffic

    • Modify HOSTS

  • Server-side attacks

    • Hack server and change name records

    • Pollute server cache

<ul><li><p>DNS poisoning: <span>Attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker's choosing.</span></p></li><li><p>Spoofing trusted hosts/sites<br>(pharming)</p><ul><li><p><span>The attacker can then intercept all the packets directed to mybank.example and bounce them to the real site, leaving the victim unaware of what is happening (referred to as pharming).</span></p></li></ul></li><li><p>Denial of Service (DoS)</p><ul><li><p>Directing all traffic for a particular FQDN to an invalid IP address (a black hole) </p></li></ul></li><li><p>Client-side attacks (corrupting the client’s name resolution process)</p><ul><li><p>Change/intercept resolver traffic</p></li><li><p>Modify HOSTS</p></li></ul></li><li><p>Server-side attacks</p><ul><li><p>Hack server and change name records</p></li><li><p>Pollute server cache</p></li></ul></li></ul>
4
New cards

VLAN Hopping Attacks

  • Send traffic to VLAN that would not normally be accessible

  • Double tag exploit against weakly configured native VLANs

  • Masquerade as trunk

5
New cards

Wireless Network Attacks

  • Rogue access points

    • Definition: Wireless access point that has been enabled on the network without authorization.

    • Unauthorized AP creates a Potential backdoor to attack the network

    • Risks from shadow IT

  • Evil twins

    • Definition: Wireless access point that deceives users into believing that it is a legitimate network access point.

    • Spoofs SSID and BSSID (MAC) of
      legitimate AP

      • “compeny” vs “company”

    • when a user connects to an evil twin, it might be able to harvest authentication information and, if it is able to provide wider network or Internet access, execute an on-path attack to snoop on connections established with servers or websites.

  • Deauthentication attacks

    • Definition: Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.

    • Cause client(s) to disconnect from AP

    • This might allow the attacker to interpose the evil twin, sniff information about the authentication process, or perform a denial of service (DoS) attack against the wireless infrastructure.

<ul><li><p>Rogue access points</p><ul><li><p>Definition: <span>Wireless access point that has been enabled on the network without authorization.</span></p></li><li><p>Unauthorized AP creates a Potential backdoor to attack the network</p></li><li><p>Risks from shadow IT</p></li></ul></li><li><p>Evil twins</p><ul><li><p>Definition: <span>Wireless access point that deceives users into believing that it is a legitimate network access point.</span></p></li><li><p>Spoofs SSID and BSSID (MAC) of<br>legitimate AP</p><ul><li><p>“compeny” vs “company”</p></li></ul></li><li><p><span>when a user connects to an evil twin, it might be able to harvest authentication information and, if it is able to provide wider network or Internet access, execute an on-path attack to snoop on connections established with servers or websites.</span></p></li></ul></li><li><p>Deauthentication attacks</p><ul><li><p>Definition: <span>Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.</span></p></li><li><p>Cause client(s) to disconnect from AP</p></li><li><p><span>This might allow the attacker to interpose the evil twin, sniff information about the authentication process, or perform a denial of service (DoS) attack against the wireless infrastructure.</span></p></li></ul></li></ul>
6
New cards

Distributed DoS Attacks and Botnets

  • DDoS definition: Attack that involves the use of infected Internet-connected computers and devices to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.

  • Co-ordinated attacks launched by multiple hosts simultaneously

    • Overwhelm bandwidth

    • Overwhelm processing resource (flood state table)

    • Or potentially crash the host system completely

  • Distributed reflection DoS

    • Amplification attack

    • Spoof victim IP to overwhelm it with responses (trying to open connections with multiple servers)

    • The SYN/ACK responses go to the victim server, rapidly consuming the victim’s available bandwidth

  • Botnets

    • Group of compromised hosts used to perpetrate DDoS/DRDoS)

    • Handler/herders versus bots

    • Command and control (C&C/C2) network

7
New cards

Malware and Ransomware Attacks

  • Malware classification by vector

    • Viruses and worms

      • These represent some of the first types of malware and spread without any authorization from the user by being concealed within the executable code of another process.

    • Trojan

      • Malware concealed within an installer package for software that appears to be legitimate. This type of malware does not seek any type of consent for installation and is actively designed to operate secretly.

    • Potentially unwanted programs
      (PUPs)/Potentially unwanted applications (PUAs)

      • Software installed alongside a package selected by the user or perhaps bundled with a new computer system.

  • Malware classification by payload

    • Spyware, rootkit, remote access Trojan
      (RAT), ransomware, ...

  • Ransomware

    • Spoof shell/dialogs/notifications

    • Crypto-malware

<ul><li><p>Malware classification by vector</p><ul><li><p>Viruses and worms</p><ul><li><p><span>These represent some of the first types of malware and spread without any authorization from the user by being concealed within the executable code of another process.</span></p></li></ul></li><li><p>Trojan</p><ul><li><p><span>Malware concealed within an installer package for software that appears to be legitimate. This type of malware does not seek any type of consent for installation and is actively designed to operate secretly.</span></p></li></ul></li><li><p>Potentially unwanted programs<br>(PUPs)/Potentially unwanted applications (PUAs)</p><ul><li><p><span>Software installed alongside a package selected by the user or perhaps bundled with a new computer system.</span></p></li></ul></li></ul></li><li><p>Malware classification by payload</p><ul><li><p>Spyware, rootkit, remote access Trojan<br>(RAT), ransomware, ...</p></li></ul></li><li><p>Ransomware</p><ul><li><p>Spoof shell/dialogs/notifications</p></li><li><p>Crypto-malware</p></li></ul></li></ul>
8
New cards

Password Attacks

  • Passwords or password hashes can be captured by obtaining a password file or by sniffing the network. If the protocol uses cleartext credentials, then the threat actor can simply read the cleartext password from the captured frames.

  • Password capture

    • Plaintext storage and transmission

    • Password hashes

  • Password hash cracking

    • Dictionary

    • Brute force

      • The software tries to match the hash against one of every possible combination it could be. If the password is short (under eight characters) and non-complex (using only letters, for instance), a password might be cracked in minutes. Longer and more complex passwords increase the amount of time the attack takes to run.

  • Protecting password hashes

    • A threat actor might obtain password hashes from a protocol such as SMB with no encryption configured.

    • The risks posed by cracking software mean that it is more secure to use end-to-end encryption, such as IPSec or Transport Layer Security (TLS).

    • This means that all payload data is encrypted, and a network sniffer cannot even recover the password hashes.

<ul><li><p><span>Passwords or password hashes can be captured by obtaining a password file or by sniffing the network. If the protocol uses cleartext credentials, then the threat actor can simply read the cleartext password from the captured frames.</span></p></li><li><p>Password capture</p><ul><li><p>Plaintext storage and transmission</p></li><li><p>Password hashes</p></li></ul></li><li><p>Password hash cracking</p><ul><li><p>Dictionary</p></li><li><p>Brute force</p><ul><li><p><span>The software tries to match the hash against one of every possible combination it could be. If the password is short (under eight characters) and non-complex (using only letters, for instance), a password might be cracked in minutes. Longer and more complex passwords increase the amount of time the attack takes to run.</span></p></li></ul></li></ul></li><li><p>Protecting password hashes</p><ul><li><p>A threat actor might obtain password hashes from a protocol such as SMB with no encryption configured. </p></li><li><p>The risks posed by cracking software mean that it is more secure to use end-to-end encryption, such as IPSec or Transport Layer Security (TLS).</p></li><li><p>This means that all payload data is encrypted, and a network sniffer cannot even recover the password hashes.</p></li></ul></li></ul>
9
New cards

Human and Environmental Attacks

  • Social engineering or hacking the
    human

    • Reasons for effectiveness

  • Phishing

    • Social engineering over email

    • Also uses spoofed resource (website)

  • Shoulder surfing

    • Observing password/PIN entry. Like. With your Eyes.

  • Tailgating and piggybacking

    • Gaining unauthorized entry to premises

    • Following closely behind whoever opened the door

<ul><li><p>Social engineering or hacking the<br>human</p><ul><li><p>Reasons for effectiveness</p></li></ul></li><li><p>Phishing</p><ul><li><p>Social engineering over email</p></li><li><p>Also uses spoofed resource (website)</p></li></ul></li><li><p>Shoulder surfing</p><ul><li><p>Observing password/PIN entry. Like. With your Eyes. </p></li></ul></li><li><p>Tailgating and piggybacking</p><ul><li><p>Gaining unauthorized entry to premises</p></li><li><p>Following closely behind whoever opened the door</p></li></ul></li></ul>
10
New cards

Response time on the website that hosts the online version of your product catalog is getting slower and slower. Customers are complaining that they cannot browse the catalog items or search for products. What type of attack do you suspect?

This is some type of Denial of Service (DoS) attack. Specifically, you might suspect a distributed DoS (DDoS) or distributed reflection DoS (DRDoS).

11
New cards

The network administrator at your organization analyzes a network trace capture file and discovers that packets have been intercepted and retransmitted to both a sender and a receiver during an active session. What class of attack has been detected?

On-path attack. Note that this was previously referred to as a man-in-the-middle (MitM) attack.

12
New cards

True or false? To perpetrate an ARP spoofing attack, the threat actor spoofs the IP address of a legitimate host, typically the subnet’s default gateway.

True. The threat actor sends gratuitous ARP replies claiming to own the IP address of the target.

13
New cards

A threat actor forces clients to disconnect from a legitimate access point to try to force them to reconnect to an access point controlled by the attacker using the same network name. What two attack types are being used?

Disconnections are performed using a deauthentication attack, while using a rogue access point to masquerade as a legitimate one is referred to as an evil twin attack.

14
New cards

Analysis of outgoing traffic shows connections by IP cameras to unidentifiable domain names. What type of traffic has been detected?

This is command and control (C-and-C or C2) traffic between a handler and botnet of compromised IP camera devices, often called an Internet of Things (IoT) botnet.

15
New cards

Employees have received emails prompting them to register for a new benefit package. The link in the mail resolves to a malicious IP address. What type of attack is being performed?

This is a phishing attack that combines social engineering (techniques that convince users that a message is genuine) with a spoofed resource.

16
New cards

Device and Service Hardening

  • Hardening means applying a secure configuration to each network
    host or appliance

    • Change default passwords

    • Enforce password complexity/length requirements

    • Configure role-based access

    • Disable unneeded network services

    • Disable unsecure protocols

17
New cards

Endpoint Security and Switchport Protection

  • What is endpoint security? Endpoint security is a set of security procedures and technologies designed to restrict network access at a device level.

    • Endpoint security contrasts with the focus on perimeter security established by topologies such as screened subnets and technologies such as firewalls.

    • Endpoint security is designed not to replace perimeter security but to supplement it, creating defense in depth.

  • Disable unneeded switchports

    • Restrict physical access/unplug patch cord

    • Administratively disable port

    • Assign to black hole VLAN

  • Configure protection mechanisms

    • MAC Filtering and Dynamic ARP Inspection

      • Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

      • dynamic ARP inspection (DAI): a switch port security feature that prevents a host attached to an untrustued port from flooding the segment with tons of ARP replies

    • DHCP Snooping

      • Configuring DHCP snooping causes the switch to inspect DHCP traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address.

      • It can also be used to prevent rogue DHCP servers from operating on the network.

      • With DHCP snooping, only DHCP offers from ports configured as trusted are allowed.

    • Neighbor Discovery (ND) Inspection and
      Router Advertisement (RA) Guard

      • Perform similar functions to DAI and DHCP snooping for IPv6 networks

    • Port Security (IEEE 802.1X Port-Based
      Network Access Control)

      • Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

<ul><li><p>What is endpoint security? <span>Endpoint security is a set of security procedures and technologies designed to restrict network access at a device level.</span></p><ul><li><p><span>Endpoint security contrasts with the focus on perimeter security established by topologies such as screened subnets and technologies such as firewalls. </span></p></li><li><p><span>Endpoint security is designed not to replace perimeter security but to supplement it, creating defense in depth.</span></p></li></ul></li><li><p>Disable unneeded switchports</p><ul><li><p>Restrict physical access/unplug patch cord</p></li><li><p>Administratively disable port</p></li><li><p>Assign to black hole VLAN</p></li></ul></li><li><p>Configure protection mechanisms</p><ul><li><p>MAC Filtering and Dynamic ARP Inspection</p><ul><li><p><span>Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.</span></p></li><li><p><span>dynamic ARP inspection (DAI): a switch port security feature that prevents a host attached to an untrustued port from flooding the segment with tons of ARP replies</span></p></li></ul></li><li><p>DHCP Snooping</p><ul><li><p><span>Configuring </span><strong><u><span>DHCP snooping</span></u></strong><span> causes the switch to inspect DHCP traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address.</span></p></li><li><p><span>It can also be used to prevent rogue DHCP servers from operating on the network. </span></p></li><li><p><span>With DHCP snooping, only DHCP offers from ports configured as trusted are allowed.</span></p></li></ul></li><li><p>Neighbor Discovery (ND) Inspection and<br>Router Advertisement (RA) Guard</p><ul><li><p>Perform similar functions to DAI and DHCP snooping for IPv6 networks</p></li></ul></li><li><p>Port Security (IEEE 802.1X Port-Based<br>Network Access Control)</p><ul><li><p><span>Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.</span></p></li></ul></li></ul></li></ul>
18
New cards

VLAN and PVLAN Best Practices

  • Private VLAN (PVLAN)

    • What is it? Method of isolating hosts to prevent hosts within the same VLAN from communicating directly.

    • Further segment traffic within host/primary VLAN

    • Promiscuous, isolated, and community ports

      • Promiscuous - can communicate with all ports in all domains within the PVLAN. Usually the port which routed or DHCP traffic is sent

      • Isolated - can communicate with the promiscuous port only.

      • Community - can communicate with the promiscuous port and with other ports in the same community.

  • Default VLAN and native VLAN

    • VLAN ID 1 is default VLAN

      • Default VLAN ID (1) for all unconfigured switch ports.

    • Native VLAN contains untagged traffic on trunks

      • VLAN ID used for any untagged frames received on a trunk port.

      • The same ID should be used on both ends of the trunk and the ID should not be left as the default VLAN ID (1).

    • Native VLAN is also VLAN 1 by default

    • Change to unique value on both ends of trunk

19
New cards

Firewall Rules and ACL Configuration

  • Implicit deny: Firewall ACL rule configured by default to block any traffic not matched by previous rules.

  • Explicit deny: Firewall ACL rule configured manually to block any traffic not matched by previous rules.

  • Network access control list (ACL)

    • Top-to-bottom

    • Default block (implicit deny)

    • Explicit deny

    • Tuples

  • iptables

    • Chains (INPUT, OUTPUT, and
      FORWARD)

      • INPUT: affecting incoming connections. For example, if a user attempts to SSH into the Linux server, iptables will attempt to match the source IP address and destination port to a rule in the input chain.

      • OUTPUT: For outgoing connections. For example, if you try to ping an FQDN such as comptia.org, iptables will check its output chain to see what the rules are regarding ping and comptia.org (or the IP address that comptia.org resolves to) before deciding to allow or deny the connection attempt.

      • FORWARD: Used for connections that are passing through the host, rather than being delivered locally. Used when configuring the host as a network firewall.

    • Stateful rules

      • Rules can be assigned to these chains, or new chains can be created and then linked to the standard system chains to affect traffic flow. To view the current status of the iptables and the volume of traffic using the chains, use the command:

        iptables -L -v

<ul><li><p>Implicit deny: <span>Firewall ACL rule configured by default to block any traffic not matched by previous rules.</span></p></li><li><p><span>Explicit deny: Firewall ACL rule configured manually to block any traffic not matched by previous rules.</span></p></li><li><p>Network access control list (ACL)</p><ul><li><p>Top-to-bottom</p></li><li><p>Default block (implicit deny)</p></li><li><p>Explicit deny</p></li><li><p>Tuples</p></li></ul></li><li><p>iptables</p><ul><li><p>Chains (INPUT, OUTPUT, and<br>FORWARD)</p><ul><li><p>INPUT: affecting incoming connections. <span>For example, if a user attempts to SSH into the Linux server, iptables will attempt to match the source IP address and destination port to a rule in the input chain.</span></p></li><li><p><span>OUTPUT: For outgoing connections. For example, if you try to ping an FQDN such as </span><a target="_blank" rel="noopener noreferrer nofollow" href="http://comptia.org"><span>comptia.org</span></a><span>, iptables will check its output chain to see what the rules are regarding ping and </span><a target="_blank" rel="noopener noreferrer nofollow" href="http://comptia.org"><span>comptia.org</span></a><span> (or the IP address that </span><a target="_blank" rel="noopener noreferrer nofollow" href="http://comptia.org"><span>comptia.org</span></a><span> resolves to) before deciding to allow or deny the connection attempt.</span></p></li><li><p><span>FORWARD: Used for connections that are passing through the host, rather than being delivered locally. Used when configuring the host as a network firewall. </span></p></li></ul></li><li><p>Stateful rules</p><ul><li><p>Rules can be assigned to these chains, or new chains can be created and then linked to the standard system chains to affect traffic flow. To view the current status of the iptables and the volume of traffic using the chains, use the command:</p><p style="text-align: start"><span>iptables -L -v</span></p></li></ul></li></ul></li></ul>
20
New cards

Control Plane Policing

  • Control, data, and management planes

  • Control and management require CPU resource

  • Control and management must always by kept “open”

    • Sufficient bandwidth

    • Sufficient processing resource

  • Control plane policing policy

    • Designed to mitigate route processor vulnerabilities

    • ACL-based filters

    • Rate-limiting

21
New cards

Wireless Security

  • Preshared keys (PSKs)

    • Group authentication allows stations to connect to the network using a shared passphrase

  • Extensible Authentication Protocol

    • An AP to implement a similar port security mechanism to switches

  • Captive portal

    • Redirecting stations to a secure web page

  • MAC filtering

    • Accept or deny list of known MAC addresses

  • Geofencing

    • Used to ensure that the station is within a valid geographic area to access the network

  • Antenna placement and power levels

    • The prescence of an unusually strong transmitter may mean an evil twin rogue access point

  • Wireless client isolation

    • Can configure access point to change it so that stations can only communicate via gateway rather than client to client. Peer-to-peer traffic is dropped by the AP.

    • You can do this through a VLAN

  • Guest network isolation

22
New cards

IoT Access Considerations

  • Audits to prevent use of shadow IT

  • Secure administration interfaces

  • Include IoT in patch and vulnerability management

  • Isolate management and monitoring traffic for embedded systems

  • Audit supplier security policies and procedures regularly

23
New cards

Patch and Firmware Management

  • Monitor security and patch advisories

  • Appliance firmware updates versus OS patches

  • Firmware upgrade procedure

  • Downgrading/rollback firmware

    • Configuration backup

24
New cards

The network administrator configures a switch with custom privilege levels and assigns commands to each. What type of best practice network hardening will this configuration support?

Role-based access, where different administrator and operator groups are assigned least privilege permissions.

25
New cards

A technician configures a switch with an IP address and shared secret of a network authentication server. What type of best practice network hardening is being performed?

Port security or IEEE 802.1X Port-Based Network Access Control.

26
New cards

What switch configuration feature could you use to prevent web servers in the same subnet from communicating with one another?

This can be configured using a private VLAN. The servers are all placed in the same host VLAN and communicate out of the VLAN/subnet via the promiscuous port. Each server port is configured as an isolated port. The isolated ports are not able to communicate directly.

27
New cards

What is the default rule on a firewall?

A system-defined rule that denies anything not permitted by the preceding rules. This is also referred to as an implicit deny rule. An explicit deny is one configured manually by the administrator.

28
New cards

Network hosts are flooding a switch’s SSH port with malicious traffic. The switch applies a rate-limiting mechanism to drop the traffic. What best practice network hardening control is being used?

Control plane policing. The SSH port carries management traffic. Malicious management or control traffic can be used to perform a denial of service (DoS) attack against a network appliance by overloading its general purpose CPU. A control plane policing policy protects both control and management channels against this type of attack.

29
New cards

How would a router appliance be patched to protect against a specific vulnerability described in a security advisory?

This type of OS does not support patching of individual files, so the whole OS has to be replaced with a new version. Vendors keep track of which version first addresses a specific security advisory.

30
New cards

A cyber security technician is requested to investigate a matter in which several customers have lodged complaints about computer issues after visiting the company site. Upon closer observation, the technician discovers that an unknown IP address replaced the valid IP address. What type of attack occurred in this incident?

  1. On-path attack

  2. DNS Poisoning

  3. Malware

  4. Distributed DoS (DDoS)

Answer: 2 (DNS Poisoning)

  • DNS poisoning is an attack that compromises the name resolution process.

  • An on-path attack is a specific spoofing attack where a threat actor compromises the connection between two hosts and transparently intercepts and relays all communications between them.

  • Many of the intrusion attempts perpetrated against computer networks depend on the use of malicious software or malware. Malware can be defined simply as software that does something bad from the perspective of the system owner.

  • A distributed DoS (DDoS) attack is launched simultaneously by multiple hosts. Some types of DDoS attacks aim to consume network bandwidth, denying it to legitimate hosts. Others cause resource exhaustion on the hosts processing requests, consuming CPU cycles and memory.

31
New cards

A cyber consultant is brought into a department to create security procedures and technologies designed to restrict network access at an end user device level. What is the consultant focusing on?

  1. Firewall access control lists (ACLs)

  2. Control plane policing

  3. Endpoint security

  4. Hardening

Answer: 3 (Endpoint security)

  • Endpoint security is a set of security procedures and technologies designed to restrict network access at a device level.

  • A network technician configures firewall access control lists (ACLs) based on the principle of least access. This is the same as the principle of least privilege; only allow the minimum amount of traffic required to operate valid network services and no more.

  • A control plane policing policy mitigates the risk from route processor vulnerabilities. Such a policy can use ACLs to allow or deny control traffic from certain sources and apply rate-limiting if a source threatens to overwhelm the route processor.

  • Deploying systems in a secure configuration are known as device hardening.

32
New cards

A network technician needs to strengthen the security of the company network by minimizing the amount of traffic required for the operation of the valid network services, and no additional access to be permitted. What is the technician placing into the network?

  1. Firewall access control lists (ACLs)

  2. Control plane policing

  3. Endpoint security

  4. Hardening

Answer: 1 (Firewall access control lists (ACLs)

  • A network technician configures firewall access control lists (ACLs) based on the principle of least access. This is the same as the principle of least privilege; only allow the minimum amount of traffic required to operate valid network services and no more.

  • A control plane policing policy mitigates the risk from route processor vulnerabilities. Such a policy can use ACLs to allow or deny control traffic from certain sources and apply rate-limiting if a source threatens to overwhelm the route processor.

  • Endpoint security is a set of security procedures and technologies designed to restrict network access at a device level.

  • Deploying systems in a secure configuration are known as device hardening.

33
New cards

A department head contacts a cyber consultant declaring that the team is locked out and cannot conduct any activity. While working on the system, the consultant notices a demand for money, or the department will never get their data back. What is this type of attack called?

  1. DRDoS

  2. DDoS

  3. Trojan

  4. Ransomware

Answer: 4 (Ransomware)

  • Ransomware is malware that extorts money from victims. One class displays threatening messages, requiring Windows be reactivated or suggesting police locked the computer for illegal activity.

  • A more powerful TCP SYN flood attack is distributed reflection DoS (DRDoS) or amplification attack. The adversary spoofs an IP address and opens connections with multiple servers directing their SYN/ACK responses to the victim server.

  • A distributed denial of service (DDoS) attack is launched simultaneously by multiple hosts. Some attacks aim to consume network bandwidth. Others cause resource exhaustion on the hosts' processing requests.

  • A trojan is a malware concealed within an installer package for software that appears to be legitimate. A trojan does not seek consent for installation and operates secretly.

34
New cards

A cyber security technician speaks with a department that has voiced concern regarding tech issues. The technician discovered that the employee had received an email containing an attachment from an outside party. Curious about what the document contained, the employee clicked on the link. The next day, the employee noticed that some of the software was not working correctly, and some important documents were no longer accessible. What was likely the cause of this issue?

  1. On-path attack

  2. DNS Poisoning

  3. Malware

  4. DDoS

Answer: 3 (Malware)

  • Many of the intrusion attempts perpetrated against computer networks depend on malicious software or malware. Malware can be defined simply as software that does something bad from the perspective of the system owner.

  • An on-path attack is a specific spoofing attack where a threat actor compromises the connection between two hosts and transparently intercepts and relays all communications between them.

  • DNS poisoning is an attack that compromises the name resolution process.

  • A distributed DoS (DoS) attack is launched simultaneously by multiple hosts. Some types of DDoS attacks aim to consume network bandwidth, denying it to legitimate hosts

35
New cards

A cyber security technician responds to a department experiencing degraded network bandwidth, and customers call the department saying they cannot visit the company website. What is likely causing the issue?

  1. On-path attack

  2. DNS Poisoning

  3. Malware

  4. Distributed DoS (DDoS)

Answer: 4 (Distributed DoS (DDoS))

  • A distributed DoS (DoS) attack is launched simultaneously by multiple hosts. Some types of DoS attacks aim to consume network bandwidth, denying it to legitimate hosts.

  • An on-path attack is a specific spoofing attack where a threat actor compromises the connection between two hosts and transparently intercepts and relays all communications between them.

  • DNS poisoning is an attack that compromises the name resolution process.

  • Many of the intrusion attempts perpetrated against computer networks depend on malicious software or malware. Malware can be defined simply as software that does something bad from the perspective of the system owner.

36
New cards

During a routine investigation of the network, the cyber specialist identifies that an on-path attack has compromised the network. What is another name for this type of attack?

  1. MitM

  2. DDoS

  3. VLAN Hopping

  4. DNS Poisoning

Answer: 1 (MitM)

  • On-path attacks are also called "Man-in-the-Middle (MitM)" attacks.

  • A distributed denial of service (DDoS) attack is launched simultaneously by multiple hosts. Some types of DDoS attacks aim to consume network bandwidth, denying it legitimate hosts. Others cause resource exhaustion on the hosts processing requests, consuming CPU cycles and memory.

  • VLAN hopping is an attack designed to send traffic to a VLAN other than the one the host system is in.

  • DNS poisoning is an attack that compromises the name resolution process. The attacker replaces a valid IP address for a trusted website, such as mybank.example, with the attacker's IP address. The attacker then intercepts the packets directed to mybank.example, and bounces them to the real site, leaving the victim unaware.

37
New cards

A cyber consultant needs to modify the company's access control lists to minimize network traffic. During configuration, the consultant can use a command-line utility provided by many Linux distributions that allow administrators to edit the rules enforced by the Linux kernel firewall. What is the command-line utility used?

  1. iptables

  2. ipconfig

  3. nmap

  4. tcpdump

Answer: 1 (iptables)

  • iptables is a command-line utility provided by many Linux distributions that allow administrators to edit the rules enforced by the Linux kernel firewall. Iptables works with the firewall chains, which apply to the different types of traffic passing through the system.

  • ipconfig is a tool used to gather information about the IP configuration of a Windows host.

  • Nmap is an ideal tool for scanning remote hosts to discover which ports they have open and the applications or services running them. It does not capture data packets.

  • The tcpdump command-line utility is a common packet analyzer used to display the contents of the .pcap file.

38
New cards

An organization contacts the cyber security team and requests a feature to provide secure wireless network access. Select the appropriate answers that support this request. (Select all that apply.)

  1. Preshared keys (PSKs)

  2. Captive Portal

  3. Geofencing

  4. VLAN

Answer: 1, 2, 3 (Preshared keys (PSKs), Cpative Portal, Geofencing, VLAN)

  • Group authentication allows stations to connect to the network using a shared passphrase, which generates a preshared key (PSK).

  • A guest network might redirect stations to a secure web page to perform authentication. The user must authenticate to the page and meet other administrator-set requirements, such as accepting a use policy, before the station can use the network.

  • Geofencing can be used to ensure that the station is within a valid geographic area to access the network, such as ensuring the device is within a building rather than trying to access the WLAN from a car park or other external location.

  • The virtual LAN (VLAN) feature of managed Ethernet switches typically deploys to enforce segmentation policies.

39
New cards

A cyber technician needs to draft a policy for the organization to mitigate the risk from route processor vulnerabilities. What is the name of this type of policy?

  1. Firewall access control lists (ACLs)

  2. Control plane policing

  3. Endpoint security

  4. Hardening

Answer: 2 (Control plane policing)

  • A control plane policing policy mitigates the risk from route processor vulnerabilities. Such a policy can use ACLs to allow or deny control traffic from certain sources and apply rate-limiting if a source threatens to overwhelm the route processor.

  • A network technician configures firewall access control lists (ACLs) based on the principle of least access. This is the same as the principle of least privilege; only allow the minimum amount of traffic required to operate valid network services and no more.

  • Endpoint security is a set of security procedures and technologies designed to restrict network access at a device level.

  • Deploying systems in a secure configuration are known as device hardening.