Cybersecurity Fundamentals Part 3

Questions and Answers

Which activity is primarily focused on understanding vulnerabilities and their potential impacts in network security?

• Risk Assessment [ID.RA] (correct)
• Access Control [PR.AC]
• Asset Management [ID.AM]
• Network Security Governance [ID.GV]

What is the main purpose of implementing encryption in a network?

• To enable end-to-end communication between devices
• To analyze network traffic patterns for anomalies
• To restrict unauthorized access to network resources
• To protect data both in transit and at rest (correct)

Which function involves creating actions to follow during a network security event?

• Log and Event Monitoring [DE.CM]
• Business Continuity Planning [RC.RP]
• Risk Assessment [ID.RA]
• Network Incident Response Plan [RS.RP] (correct)

In the NIST framework, which activity is tasked with training users to recognize security threats?

Security Training [RP.AT] (C)

Which core function of the NIST framework evaluates the effectiveness of incident responses after an event?

Lessons Learned [RC.IM] (A)

What is the main role of Log and Event Monitoring within the Detect function?

To continuously monitor for anomalies and incidents (D)

Which of the following is NOT a component of the Protect function in the NIST framework?

Forensics [RS.AN-3] (B)

At which layer of the TCP/IP model does point-to-point communication between devices mainly occur?

Network Layer (A)

What is the primary goal of access control in network security?

To restrict unauthorized access to network resources (D)

Which of the following is NOT listed as a key responsibility of network security?

Remote user training on device usage (D)

What role do intrusion detection systems (IDS) play in network security?

They continuously monitor network traffic for security incidents (D)

Which of the following best describes perimeter defense in network security?

Filtering incoming and outgoing network traffic (D)

What is the purpose of network vulnerability management?

To identify and fix weaknesses in network configurations (C)

Which secure protocol is specifically mentioned for protecting data in transit?

IPSec (C)

What type of system would be utilized to prevent security incidents effectively?

Intrusion Prevention Systems (IPS) (A)

Which option is least likely to be a focus of network security training?

Enhancing personal productivity tools (A)

What is the primary goal of a Man-in-the-Middle (MitM) attack?

To intercept and manipulate communication. (D)

Which technique is NOT associated with Denial of Service (DoS) attacks?

Session hijacking. (C)

What countermeasure helps mitigate the risk of flooding attacks in Denial of Service (DoS)?

Rate limiting. (A)

What is one common method to detect unauthorized port scanning activities?

Host-based IDS/IPS. (B)

Which of the following best describes the term 'Brute Force Attack'?

Trying multiple username and password combinations to gain access. (B)

Which practice is a key component in mitigating the effects of brute force attacks?

Strong password policies. (A)

What is the purpose of SSL stripping in a Man-in-the-Middle attack?

To intercept and downgrade secure HTTPS connections to HTTP. (D)

Which of the following techniques relies on overwhelming a service with excessive requests?

SYN flood attacks. (C)

What is the primary function of a firewall in network security?

To act as a barrier between trusted and untrusted networks (C)

Which type of firewall inspects packets on a per-packet basis without maintaining any state information?

Packet Filtering Firewalls (B)

What security measure is implemented when a firewall blocks all traffic that does not match its defined rules?

Deny by default (D)

Which of the following is NOT a countermeasure against external threat actors?

Regular employee training sessions (D)

In firewall operations, what does 'filtering' primarily refer to?

Controlling incoming and outgoing network traffic (D)

What is the importance of having a reliable operating system for a firewall?

To ensure firewall immunity to intrusions (C)

What is the role of predefined security policies in firewall functionality?

To establish access rules for incoming and outgoing traffic (A)

Which of the following features is a characteristic of Stateful Inspection Firewalls?

They maintain a record of active connections. (A)

What is the primary function of an Intrusion Detection System (IDS)?

To alert on suspicious activity without taking direct action (B)

Which VPN type allows remote users to connect to the internal network?

Remote access VPN (B)

What is a significant drawback of signature-based detection methods used by IDS/IPS?

They exhibit poor performance with new or previously unseen threats. (A)

Which of the following is not an example of an application layer VPN?

PPTP (D)

What critical flaw in ARP contributes to the possibility of a Man in the Middle (MitM) attack?

ARP lacks authentication for ARP-Reply messages (C)

Which of the following describes a characteristic of the Intrusion Prevention System (IPS)?

It can take proactive measures to block or prevent threats. (C)

Which component of IPsec is responsible for providing encryption using symmetric algorithms?

Encapsulating Security Payload (ESP) (D)

What form of VPN encapsulates IP packets into a secure tunnel?

IPsec Tunnels (C)

What is the primary purpose of the Handshake Protocol in TLS?

To authenticate endpoints and establish a secure connection (A)

Which type of detection method establishes a baseline of normal behavior for alerts on deviations?

Anomaly-based detection (D)

Which of the following protocols specifically addresses the security of DNS queries and responses?

DNSSEC (D)

Which statement accurately describes Host-Based IDS (HIDS)?

It monitors system-level activities and logs on individual devices. (C)

What is the primary function of SSH in secure networking?

To enable secure remote access via encrypted interactive sessions (A)

Which IDS/IPS detection method uses predefined patterns to identify attacks?

Signature-based detection (B)

What type of communication does IPSec primarily secure?

IP communications at the network layer (C)

What type of VPN is designed to offer transport layer encryption?

Wireguard (A)

Which aspect of data does TLS ensure through its Record Protocol?

Encryption and authentication of transferred data (B)

What is a primary use case for SSH?

Secure remote management of servers (D)

Why is ARP spoofing considered a form of local ARP cache poisoning?

It impersonates devices to redirect traffic without detection. (A)

What is a key characteristic of 'secure protocols'?

They enhance standard protocols through cryptographic techniques. (A)

Flashcards

Network Security

A set of measures and strategies implemented to secure a network's infrastructure.

TCP/IP Network Model

A layered model that describes how interconnected devices communicate over a network.

TCP/IP Vulnerabilities

Weaknesses in network protocols or devices that can be exploited by attackers.

Access Control

Strategies designed to protect network resources from unauthorized access.

Firewall

A specialized hardware or software device that filters network traffic based on defined rules.

Virtual Private Network (VPN)

A secure connection over a public network, creating a private tunnel for data transmission.

Intrusion Detection System (IDS)

A dedicated system that monitors network traffic for suspicious activity and alerts administrators of potential threats.

Network Vulnerability Management

The process of identifying and addressing vulnerabilities to strengthen network security.

NIST Cybersecurity Framework

A comprehensive framework outlining key functions for securing computer networks. It emphasizes five core functions: Identify, Protect, Detect, Respond, and Recover.

Asset Management (ID.AM)

The process of creating an inventory of all network resources that need protection, including hardware, software, and data.

Risk Assessment (ID.RA)

Evaluating potential risks to a network, including vulnerabilities, threats, and potential impacts.

Network Security Governance (ID.GV)

Policies and procedures that govern how network security is managed.

Access Control (PR.AC)

Restricting access to network resources based on authorization.

Network Segmentation (PR.AC-5)

Dividing a network into smaller, isolated zones to limit the spread of attacks.

Encryption (PR.DS-2)

Using encryption to protect data while it's being transmitted and while it's stored.

Endpoint Protection (PR.PT)

Security measures implemented on individual network devices to prevent intrusions and malware infections.

Man-in-the-Middle (MitM) Attack

An attacker intercepts and potentially alters communication between two parties without their knowledge. The attacker can eavesdrop, manipulate information, or impersonate one of the parties.

Denial of Service (DoS) Attack

A type of attack that overwhelms a network with excessive traffic or requests, making it unavailable to legitimate users.

Hostile Network Activity

A malicious action aimed at compromising network security, gaining unauthorized access, or disrupting network operations.

Port Scanning

A process of systematically probing a network or system to find open ports and services.

Brute Force Attack

Trying combinations of usernames and passwords to guess valid credentials and gain unauthorized access to a system.

Distributed Denial of Service (DDoS) Attack

A type of attack that uses multiple computers to launch a DoS attack simultaneously, making the attack more powerful and difficult to defend against.

Intrusion Prevention System (IPS)

A security tool that monitors network traffic and actively blocks malicious activity.

ARP (Address Resolution Protocol)

A protocol that helps network devices discover each other's physical addresses (MAC addresses) by mapping IP addresses to MAC addresses.

ARP Spoofing

A type of attack where a malicious actor sends spoofed ARP messages to trick devices into communicating with them instead of the intended recipient.

Secure Protocol

A secure protocol that provides confidentiality, integrity, and authentication for both messages and endpoints.

IPsec (Internet Protocol Security)

A suite of protocols that secure IP communications at the network layer, providing authentication and optional encryption.

TLS (Transport Layer Security)

A secure protocol that creates a secure communication channel between a client and server at the transport layer, providing data integrity, confidentiality, and authentication.

SSH (Secure Shell)

A protocol that provides secure end-to-end encryption for interactive sessions, similar to TLS but with additional user authentication methods.

Perimeter Protection

A set of measures and strategies implemented to protect an organization's network from external threats by securing the perimeter of the network.

OpenVPN

A type of VPN that uses TLS/SSL for encryption, providing a secure connection for data transmission over public networks.

DNSSEC (Domain Name System Security Extensions)

A security extension for DNS that adds cryptographic security to DNS queries and responses, protecting against DNS spoofing.

FTPS (File Transfer Protocol Secure)

An extension of FTP that adds TLS/SSL encryption to secure file transfers.

Security Information and Event Management (SIEM)

A system that monitors network activity, collects data, and analyzes it for security breaches, providing real-time insights and alerts.

Packet Filtering Firewalls

Types of firewalls that examine the contents of network packets to determine whether they match predefined rules, operating at the network or transport layers.

Web Application Firewall (WAF)

A type of firewall designed specifically to protect web applications, filtering and blocking malicious traffic aimed at web servers.

Network Segmentation

Dividing a network into smaller isolated segments, limiting the impact of attacks and preventing their spread across the entire network.

Network Access Control

A network security strategy that employs a set of rules to define and control access to network resources based on user identity and permissions.

VPN (Virtual Private Network)

Secure connection between two entities over a public network, forming a private tunnel for secure data transmission. Often used to connect remote users to a private network or different parts of an organization.

IPsec Tunnels

A network-level VPN that encapsulates entire IP packets within an IPsec protocol before transmission. It's a strong security measure that provides data confidentiality and integrity.

PPTP (Point-to-Point Tunneling Protocol)

A layer 2 protocol used for communication over a VPN. It encapsulates PPP frames within UDP/IP packets, ensuring secure transmission.

Network-Based IDS/IPS (NIDS)

IDS/IPS deployed at specific network locations, such as firewalls or DMZs, to monitor traffic flowing into or out of the network segment.

Host-Based IDS/IPS (HIDS)

IDS/IPS agents installed on individual devices (hosts, servers) to monitor events occurring on the specific device, like system logs or file modifications.

Signature-Based Detection

Method of detection that relies on predefined patterns or signatures to identify known attacks. It's efficient but struggles with new or unknown attacks.

Anomaly-Based Detection

Method of detection that looks for patterns or behaviors significantly different from the established baseline of normal network activity. It can detect new threats but may generate false alarms.

Behavioral Analysis (in IDS/IPS)

Generalized approach to anomaly detection where IDS/IPS looks for abnormal behavior that may not match specific signatures or anomalies. It's effective in detecting new or unknown threats.

Study Notes

Cybersecurity Fundamentals (Part 3)

• Network Security: A set of measures and strategies to secure network infrastructure, protecting wired/wireless networks, routers, switches, firewalls, servers, and endpoints. Key responsibilities include access control, data protection, network monitoring, and intrusion detection.

Key Responsibilities/Tasks

• Access Control: Only authorized users and devices can access network resources.
• Data Protection: Encrypts data in transit and at rest using protocols like IPSec, SSL/TLS to secure sensitive information.
• Network Monitoring and Logging: Continuous monitoring of network traffic, detecting security incidents, monitoring network activity, analyzing logs to find anomalies, and using IDS/IPS systems to block or alert on suspicious activity and threats.

Network Security (II)

• Perimeter Defense: Security controls at the network perimeter to filter incoming/outgoing traffic (firewalls and DMZs), monitor/detect intrusion using IDS/IPS, and secure remote access with VPNs.
• Network Vulnerability Management: Regularly assessing the network for vulnerabilities and taking action to mitigate them, such as ensuring network devices are configured securely (patches/updates), and conducting security assessments (penetration testing).

Network Security (III)

• Network Security Activities (NIST Framework Core Functions):
  • Identify: Asset Management (ID.AM), Risk Assessment (ID.RA), Network Security Governance (ID.GV).
  • Protect: Access Control (PR.AC), Network Segmentation (PR.AC-5), Encryption (PR.DS-2), Endpoint Protection (PR.PT), Security Training (RP.AT)
  • Detect: Network Traffic Analysis (DE.AE), Log and Event Monitoring (DE.CM), Intrusion Detection (DE.DP)

Network Security (IV)

• Respond: Network Incident Response Plan (RS.RP), Security Incident Investigation (RS.AN), Mitigation and Containment (RS.MI), Communication and Reporting (RS.CO), Forensics (RS.AN-3)
• Recover: Business Continuity (BC) Planning (RC.RP), System Restoration (RC.RP), Lessons Learned (RC.IM), Post-Incident Review (RC.IM)

TCP/IP Network Model

• Key Points: Stacked protocol layers and data encapsulation. This shows a clear relationship between the TCP/IP and OSI models illustrating how protocols and services relate to each layer.

TCP/IP Vulnerabilities, Threats and Attacks

• Main Weakness: Lack of built-in security, and lack of native methods for encryption, integrity, and authentication.
• Generic Threats/Attacks:
  • Sniffing: Unauthorized interception/monitoring of network traffic (exploits lack of encryption).
  • Spoofing: Masquerading as something or someone else in a network communication (lack of authentication).
  • Hijacking: Attacker takes control of an established network session/connection between two parties (lack of authentication/integrity and weaknesses in session management).
  • Man-in-the-Middle (MitM) Attacks: Attacker intercepts (and potentially alters) communication between sender and receiver without their knowledge (MitM exploits issues in the network layers).
  • Denial of Service (DoS): Make network resources, services, or applications unavailable to legitimate users by overwhelming them with excessive traffic/requests.
  • Hostile network activity: Actions taken by attackers or malicious actors to compromise network security, gain unauthorized access, or disrupt network operations. This includes actions like port scanning, brute-force attacks.

Secure Protocols

• Secure protocols: Address security concerns (confidentiality, integrity, authenticity) in data and communications, improving upon the classic TCP/IP functionality. Protocols can be implemented at various layers of the stack, applying cryptographic techniques.

IPsec (Internet Protocol Security)

• Network Layer (Layer 3): A suite of protocols used to secure IP communications at the network layer. Provides IP packet authentication and (optionally) encryption using HMAC and ESP. IKE provides secure key exchanges. Uses Asymmetric encryption, Different Hellman, Digital Certificates

TLS (Transport Layer Security)

• Transport Layer (Layer 4): Secure communication channel between a client and server at the transport layer. Provides data integrity, confidentiality, and authentication at the packet level. Uses Handshake Protocol and Record Protocol.

SSH (Secure Shell)

• Application Layer (Layer 7): Provides end-to-end encryption for interactive sessions, adds user authentication methods such as password and public keys.

Perimeter Protection

• Objective: Securing an organization's network by protecting the outer boundary (perimeter) from external threats/attacks.
• Countermeasures:
  • Firewalls and network segmentation
  • Virtual Private Networks (VPNs)
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • Security Information and Event Management (SIEM) Systems
  • Web Application Firewalls (WAFs), Content Filtering

Firewalls

• Network Access Control Devices: Barrier between the organization's internal network and the untrusted external network. Uses filtering and controlling incoming/outgoing network traffic based on predefined security rules. All traffic passes through to permit or deny authorized traffic

Virtual Private Networks (VPNs)

• Extension of a private local network over an uncontrolled public network infrastructure.
• Typical Function: Establishing secure connections to maintain the confidentiality of traffic, relies on tunneling by creating a logical connection between endpoints, encapsulating one protocol within another. Common use cases include secure interconnection across parts of an organization, and remote access for users to connect to the internal network.
  • Different ways of tunneling

Intrusion Detection/Prevention Systems (IDS/IPS)

• IDS: Monitors network/system activity for signs of unauthorized access, attacks, or abnormal behavior. Passive and alerts on potential threats.
• IPS: Same detection methods as IDS, takes automated actions to prevent or mitigate detected threats. Proactive, blocking traffic to/from specific IP addresses, dropping malicious packets, and resetting connections.
• Deployment Types: Network-based (NIDS) sensors monitor traffic, and host-based (HIDS) agents monitor individual device activities, such as file changes, logs, and system calls.
• Detection Methods: Signature-based and Anomaly-based.