Cyber Security: Network Threats

Questions and Answers

What is a sniffer?

An application or device designed to capture network traffic as it moves across the network.

Which protocols are vulnerable to sniffing attacks?

HTTP (correct)

SMTP (correct)

Telnet (correct)

FTP (correct)

Session hijacking relies on sniffing network traffic

True

___ is the process of giving DNS servers false records to get them cached.

DNS cache poisoning

What is the main goal of a Man-in-the-Middle attack?

To intercept all communications between two hosts and modify them.

What type of attack is carried out when a large amount of traffic is directed to the broadcast address of a network instead of to a specific system?

Smurf attack

What does DDoS stand for?

Distributed Denial of Service

The __________ Layer is responsible for breaking data into packets and transmitting it over the network.

Transport

Encryption primarily takes place at the Session Layer.

False

What is port knocking?

Port knocking is the act of attempting to make connections to blocked ports in a certain order in an attempt to open a port.

Port knocking is susceptible to replay attacks.

True

What is one good way of protecting against replay attacks in port knocking?

Using a time-dependent knock sequence

What is IP Spoofing?

IP Spoofing is an attempt by an intruder to send packets from one IP address that appear to originate at another.

Which of the following is a form of IP Spoofing?

Blind Spoofing

MAC flooding aims to flood the switch with fake __________ addresses to all ports.

MAC

Match the following with their definitions:

MAC Filtering = Create 'block' or 'allow' lists of MAC addresses ARP Spoofing = An attempt to send fake ARP messages DDoS Attack = Amplifies a DoS attack by using multiple hosts Ping of Death = Sending oversized packets to crash systems

What are some examples of what organizations are trying to protect in terms of cyber security? (Select all that apply)

Services availability and Productivity

The CIA Triad stands for Confdentiality, Integrity, and Accountability. Is this statement true or false?

False

Define Cyber Security based on the NIST Computer Security Handbook definition.

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).

___ is the concept that verifies users are who they say they are and that each input arriving at the system came from a trusted source.

Authenticity

Match the following terms with their definitions:

Risk = Possibility of loss, injury, or other adverse or welcome circumstance Threat = Vulnerabilities, events, or individuals that could cause harm if exploited Breach = Result of exploited threats that violate security tenets Countermeasure = Measures put in place to mitigate identified risks

What is the role of a protocol in computer communication?

Defines the rules for communication between computers

Which protocol sends data out as soon as there is enough data to be transmitted?

User Datagram Protocol (UDP)

DNS provides a distributed database over the internet that stores various resource records.

True

DHCP is used within a network to simplify the configuration of each user’s ____________.

computer

Match the following TCP flags with their meanings:

SYN = Synchronise ACK = Acknowledge FIN = Finished RST = Reset

Which of the following categories does human attack surface refer to?

Vulnerabilities created by personnel or outsiders

Economy of mechanism states that security design should be as complex and large as possible.

False

What principle dictates that every access must be checked against the access control mechanism?

Complete mediation

Ethical hackers require permission to engage in __________ testing.

penetration

Match the hacking methodology stage with its description:

Reconnaissance = Information gathering stage using passive attacks and Open Source Intelligence (OSINT) Scanning and enumeration = Identifying network layouts, domains, servers, and infrastructure details Gaining Access = Stage designed to gain access to the target system Maintaining Access = Stage where access to the system is maintained Covering Tracks = Stage where the attacker tries to cover their tracks

Why is the reconnaissance stage crucial in security testing?

To identify additional information that may have been overlooked

Enumeration is used to collect usernames, hostnames, IP addresses, passwords, configurations, etc.

True

Attackers break into the network, delivering targeted malware to vulnerable systems and people, often without the user being aware they are a target. They then map the organization's defenses from the inside and create a battle plan for information they intend to target, this process is known as ________.

infiltration

What is the purpose of gaining elevated privileges in a cyber attack?

move freely within the environment

Match the following social engineering example with its description:

Elicitation = The subtle extraction of information during an apparently normal and innocent conversation Pretexting = Creating a story or lie during a social engineering engagement

Study Notes

Network Threats

• Malicious activities on the rise: Examples of malicious attacks are everywhere, and data breaches occur in both public and private sectors.
• Top countries of origin for cyberattacks: In 2020, China was the top country of origin for cyberattacks (41%), followed by the United States (10%).

Sniffers

• Definition: A technology used to steal or observe information, allowing the viewing of email passwords, web passwords, FTP credentials, email contents, and transferred files.
• How it works: When a network adapter is in promiscuous mode, a sniffer can capture all traffic, regardless of the destination address.
• Threats to protocols: Sniffers can target Telnet, HTTP, SMTP, POP, and FTP protocols, which are sent in the clear without protection.

Application Layer Attacks

• HTTP Basic Authentication: Insecure, as full credentials pass over the wire and are sent in the clear.
• DNS Attacks: DNS poisoning occurs when an attacker attempts to change the IP associated with a server maliciously, and DNS cache poisoning occurs when false records are cached.
• Session Hijacking: Occurs when an attacker takes over a session that has authenticated access to a resource, and can be categorized into three types: man-in-the-middle, blind hijack, and session theft attacks.
• Identifying an Active Session: An attacker must locate and identify a suitable session for hijacking, and determine or guess the sequence numbers.

Network Layer Attacks

• IP Vulnerabilities: Unencrypted transmission, no source authentication, no integrity checking, and no bandwidth constraints make IP vulnerable to attacks.
• IP Spoofing Attacks: An attacker sends packets from one IP address that appear to originate from another, and can be categorized into two types: blind and non-blind spoofing.

Data Link Layer Attacks

• MAC Flooding: The goal is to flood the switch with fake MAC addresses to all ports, causing the switch to fail.
• MAC Filtering and Spoofing: MAC filtering is a security control, but it is easy to spoof the MAC address, making it ineffective.
• ARP Spoofing and Poisoning: A rogue machine can spoof other machines by updating the ARP table, and ARP poisoning is a method of bypassing a switch where sniffing is performed on an IPv4 network.

Denial of Service Attacks

• Definition: A type of attack that prevents legitimate users from accessing the system, intended to prevent services from being delivered.
• Goal: To consume resources, disrupt a service or server, or prevent services from being delivered.### Networking Fundamentals and Security

Physical Limitations of Computers

• Number of users
• Size of files
• Speed of transmission
• Amount of data stored

Denial of Service (DoS) Attacks

• Aims to prevent valid users from accessing network resources
• Types of DoS attacks:
  • Exploiting programming defects to cause a crash
  • Consuming resources (e.g. SYN flood, ICMP flood)

Distributed Denial of Service (DDoS) Attacks

• Uses multiple hosts to amplify the attack
• Difficult to detect and defend against
• Has primary and secondary victims
• Attack can be difficult or impossible to track back to the source

DoS/DDoS Attacks: Exploitation of Programming Defects

• Examples of attacks:
  • Ping of Death (PoD)
  • Teardrop Attack
  • Land DoS

DoS/DDoS Attacks: Consumption of Resources

• Examples of attacks:
  • SYN flood
  • ICMP flood
  • HTTP flood
  • Slowloris (a more potent variant of HTTP flood)

Botnets and the Internet of Things (IoT)

• Botnets consist of computers and devices (mainly IoT devices) infected with software for DDoS attacks
• Botnets can stretch across the globe
• Examples of botnets attacks:
  • DDoS attacks
  • Click fraud
  • Stealing information

Mapping the OSI Model to Cyber Threats

• The OSI model is used to understand and teach distributed communication
• Each layer interacts with the layer above and below it
• The OSI model is implemented in both hardware and software

OSI Layers

• Application Layer: interacts with end-user applications, formats data for transmission
• Presentation Layer: responsible for coding and decoding data, encryption takes place here
• Session Layer: maintains communication sessions between computers
• Transport Layer: breaks data into packets, ensures proper transmission and error checking
• Network Layer: responsible for logical implementation of the network, includes IP addresses
• Data Link Layer: prepares data for transmission over the Physical Layer, includes physical addressing
• Physical Layer: responsible for the physical operation of the network

TCP/IP Model

• Similar to the OSI model, but with fewer layers
• The four layers are:
  • Application Layer
  • Transport Layer
  • Internet Layer
  • Link Layer

Internet Packet Encapsulation

• The process of adding headers and footers to packets as they travel through the network
• Each layer adds its own header and footer

Protocols

• A set of rules and formats that govern communication between computers
• Examples of protocols:
  • TCP (Transmission Control Protocol)
  • UDP (User Datagram Protocol)
  • DNS (Domain Name System)
  • HTTP (Hypertext Transfer Protocol)

Domain Name System (DNS)

• An application-layer protocol for mapping domain names to IP addresses
• Provides a distributed database over the internet
• Resource records include:
  • Address (A) record
  • Mail exchange (MX) record
  • Name server (NS) record

DNS Caching

• DNS servers cache results for a specified amount of time
• Caching reduces network traffic and improves performance
• Associated privacy issues

Transport Layer: UDP (User Datagram Protocol)

• Lightweight and connectionless
• Small packet sizes
• No connection to create and maintain
• More control over when data is sent
• Does not compensate for loss of packet
• Does not deliver or guarantee packet delivery in order

Transport Layer: TCP (Transmission Control Protocol)

• Reliable and connection-based
• Uses sequence numbers, timeouts, and retransmissions to protect against loss and reordering
• TCP packets have a header section with a flags field
• Four possible flags:
  • SYN (Synchronise)
  • ACK (Acknowledge)
  • FIN (Finished)
  • RST (Reset)### Networking Layering Models and Protocols
• IPv4 addresses:
  • Four-byte (32-bit) addresses that uniquely identify every device on the network
  • Still the most common
• IPv6 addresses:
  • 128 bits long
  • Provide more unique device addresses
  • More secure

IP Addressing

• IPv4 addressing:
  • 32-bit binary address
  • Divided into four parts, separated by dots, with each part consisting of 8 binary digits
  • Each 8 binary digits are converted to decimal, hence called Dotted Decimal
  • Each IP address represents both the network address and the host address
• Example: 192.168.10.0 is the network address, 192.168.10.255 is the broadcast address, and hosts can have any IP between 192.168.10.1 and 192.168.10.254
• Class C IP address: the network part is the first three dots, and the host part is only the last decimal number of the IP

IP Addressing - Dynamic

• Dynamic Host Configuration Protocol (DHCP):
  • Used within a network to simplify the configuration of each user's computer
  • To obtain, renew, or refresh a DHCP IP address dynamically, you can use:
    • In Windows: ipconfig /registerdns
    • In Linux: sudo dhclient

MAC Address

• Most network interfaces come with a pre-defined MAC address
• A MAC address is a 48-bit number usually represented in hex (e.g., 00-1A-92-D4-BF-86)
• On Windows, you can use getmac to obtain the MAC address of your machine, which is also listed when you type ipconfig
• On Linux, you can see your MAC address when you type ip addr, which is labeled as "link/ether"

Address Resolution Protocol (ARP)

• Connects the network layer to the data layer by converting IP addresses to MAC addresses
• ARP works by broadcasting requests and caching responses for future use
• The protocol begins with a computer broadcasting a message of the form "who has tell "
• When the machine with the IP address receives this message, it broadcasts the response " belongs to "
• The Linux and Windows command arp -a displays the ARP table

Network Interface

• A network interface is a physical device that connects a computer to a network
• It determines which network interface card the system will use
• Network interfaces are considered both Physical layer and Data link layer interfaces
• A computer may have multiple network interfaces
• Packets are transmitted between network interfaces
• Most local area networks (including Ethernet and WiFi) broadcast frames
• Each network interface gets the frames intended for it

Description

This quiz covers various types of network threats and attacks, including sniffers, application layer attacks, network layer attacks, data link layer attacks, and denial of service attacks.