Cybersecurity Threats and Protections Quiz

Questions and Answers

What type of network infrastructure is primarily used to monitor internal servers and database resources?

• NIDS (correct)
• LAN switch
• Workstation
• Router

Which of the following is NOT a common type of malware?

• Rootkit
• Trojan Horse
• Firewall (correct)
• Botnet

According to NIST SP 800-83, what is the primary purpose of malware?

• To enhance system performance
• To compromise the confidentiality, integrity, or availability of data (correct)
• To improve user experience
• To provide a secure communication channel

Which type of malware is designed to replicate itself and spread to other systems?

Worm (A)

Which of the following is NOT a common method of malware distribution?

Security updates (C)

What type of network infrastructure is commonly used to support user workstations within a single department?

LAN (A)

Which of the following is a type of malware that can be used to control a compromised system remotely?

Bot (A)

What is the primary difference between a virus and a worm?

A virus requires user interaction to spread, while a worm can spread independently. (A)

What is the primary purpose of a Host-Based IDS?

To detect intrusions and log suspicious events (A)

Which of the following methods can a Host-Based IDS use for detection?

Anomaly detection strategies (A)

How does a Network IDS capture network traffic?

By placing network interface cards in promiscuous mode (B)

What type of signatures might a Network IDS use to detect attacks?

String signatures (C)

Which type of intrusions can a Host-Based IDS detect?

Both external and internal intrusions (D)

Which ports are frequently attacked according to the provided information?

Port 21 (D)

What is a characteristic of packets considered to be of interest?

They match a specific signature (D)

Where is a Network Intrusion Detection System (NIDS) typically placed to monitor for penetration attempts?

Outside the enterprise firewall (C)

What combination of packet conditions is an example of a condition that should be monitored?

TCP segment with SYN and FIN bits set (B)

What is a key purpose of placing a NIDS in the DMZ of a network?

To monitor for penetration attempts targeting exposed services (D)

Which of the following is NOT true about dangerous packet combinations?

They only occur during network maintenance (B)

What role does an internal firewall play in network security?

To filter traffic between the LAN and outgoing connections (B)

Which of these ports is NOT listed as frequently attacked?

Port 25 (B)

What is the main assumption of Zero Trust regarding trust levels for users and assets?

Implicit trust is not granted based solely on location or ownership. (C)

What does Zero Trust Architecture (ZTA) aim to protect?

Resources like services and workflows. (A)

Which components are included in Zero Trust Access (ZTA)?

Policy Decision Point and Policy Enforcement Point. (D)

What must the system validate before granting access to an enterprise resource?

The authenticity of the subject and validity of the request. (C)

Which deployment model is NOT mentioned in the ZTA deployment types?

Network Segment Model. (B)

What is the focus of attack prevention mechanisms in DDoS countermeasures?

Modifying systems and protocols to reduce DDoS risks (B)

What is a potential threat to Zero Trust Architecture?

Use of Non-person Entities in ZTA Administration. (C)

What primarily occurs during a direct DDoS attack?

A victim's resources are overwhelmed directly by incoming traffic (C)

What is the role of the Policy Enforcement Point (PEP)?

To pass judgment on access requests. (B)

What is the primary goal of a Denial-of-Service (DoS) attack?

To make services unavailable to legitimate users (A)

What is a characteristic of reflector DDoS attacks?

They utilize other systems to amplify the attack (A)

What is one common misconception about Zero Trust concerning user accounts?

User accounts need no validation for access. (A)

How does a typical Distributed Denial-of-Service (DDoS) attack operate?

Via numerous compromised hosts sending useless packets (C)

Which of the following is a method of attack detection during a DDoS attack?

Looking for suspicious patterns of behavior (A)

What was the main purpose of the first release of Onion Routing in 2002?

To provide anonymity for users and servers (C)

What characterizes a Distributed SYN Flood attack?

It involves multiple slave servers sending SYN packets. (A)

How does TLS tunneling enhance Onion Routing's effectiveness?

By providing encryption for data in transit (B)

What happens when a server experiences a DoS attack?

Server resources become flooded with useless traffic. (A)

Which of the following best describes the impact of a DoS attack on users?

Users are completely blocked from accessing the service. (B)

What is a limitation of attack source traceback in DDoS countermeasures?

It often yields results too slowly to mitigate ongoing attacks (C)

Which aspect of the Onion Routing framework helps mitigate against side channel attacks?

Use of a customized browser (C)

What distinguishes a DDoS attack from a standard DoS attack?

DDoS attacks involve multiple sources of attack traffic. (B)

In the context of network security, what primarily makes an attack 'distributed'?

The attack originates from multiple locations or devices. (B)

When a DDoS attack is successful, what is an immediate effect on the targeted web server?

The server may become inaccessible to users due to overload. (C)

Flashcards

Host-Based IDS

Systems that monitor and protect individual hosts from intrusions.

Intrusion Detection System (IDS)

An IDS monitors network or system activities for malicious actions or policy violations.

Network IDS

A system that monitors network traffic to detect intrusion attempts and anomalies.

Threshold Detection

An anomaly detection strategy that triggers alerts when traffic exceeds predetermined levels.

String Signatures

Patterns in packet data used to identify potential attacks within network IDS.

Zero Trust

A cybersecurity model that denies implicit trust to assets or user accounts without verification.

Zero Trust Architecture (ZTA)

An enterprise cybersecurity plan that requires verification for all users accessing resources, especially for remote users.

Policy Decision Point (PDP)

The component that makes access control decisions in Zero Trust systems.

Policy Enforcement Point (PEP)

The component that enforces decisions made by the PDP regarding resource access.

Authentication

The process of verifying the identity of a user or device requesting access to resources.

Authorization

The process of granting or denying access to resources after authentication has confirmed identity.

ZTA Threats

Potential risks to Zero Trust Architecture including insider threats and denial of service attacks.

Enclave Gateway Model

A deployment strategy in Zero Trust where multiple resources are accessed through a secure gateway.

Port Signatures

Specific values or patterns associated with known protocols on certain ports, indicating activity of interest.

Attacked Ports

Commonly targeted ports in network attacks, such as 20, 21, and 23.

Packet Signatures

Characteristics or patterns in network packets that signify a threat or unusual activity.

Header Conditions

Specific conditions in packet headers that may indicate suspicious traffic, such as combinations of flags set.

WinNuke Attack

A type of attack indicating a problematic packet, where urgent pointers in packets target NetBIOS ports.

Network IDS Locations

Strategic points in a network where Intrusion Detection Systems are deployed, such as outside firewalls or in DMZs.

Internal Server Security

Measures to protect data resources and servers within an internal network from unauthorized access or attacks.

DMZ in Networking

A 'demilitarized zone' in a network, used to isolate public-facing services from the internal network for security.

NIDS

Network Intrusion Detection System that monitors network traffic for suspicious activity.

Malicious Software

Software designed to harm or exploit any programmable device or network.

Types of Malware

Various classifications of malware include viruses, worms, and Trojan horses.

Virus

A type of malware that attaches itself to clean files and spreads throughout a computer system.

Worm

A standalone malware that replicates itself to spread to other computers.

Trojan Horse

Malware disguised as legitimate software that tricks users into installing it.

Spyware

Malware that secretly monitors and collects user information without consent.

Denial-of-Service Attack

An attack that aims to make a machine or network resource unavailable to its intended users.

DoS Attack

A Denial-of-Service attack that makes services inaccessible to legitimate users.

DDoS Attack

Distributed Denial-of-Service attack, where multiple compromised hosts send useless traffic.

Flooding

The action of overwhelming a network or server with excessive useless traffic.

Compromised Hosts

Devices that have been hacked and are used in a DDoS attack.

SYN Flood Attack

A specific type of DDoS attack that exploits the TCP handshake process using SYN packets.

Useless Packets

Data packets sent during an attack that serve no legitimate purpose.

Target Web Server

The server that is the intended victim of the DoS or DDoS attack.

Legitimate Users

Individuals or systems that properly use a service but are blocked during an attack.

Direct DDoS Attack

An attack where the attacker directly sends a large volume of packets to the victim.

Reflector DDoS Attack

An attack that sends requests to other servers that then flood the victim.

Attack Prevention

Methods to prevent DDoS attacks before they occur by securing resources.

Attack Detection

Mechanisms that identify suspicious patterns during a DDoS attack.

Packet Filtering

The process of blocking unwanted packets that are likely part of an attack.

Onion Routing

A method for anonymizing internet traffic, using layers of encryption.

TLS Tunneling

A method of securely transmitting data over the internet using Transport Layer Security.

Study Notes

Network Security

• XII: Network Endpoint Security
• Presented by Prof. Dr. Torsten Braun, Institute for Informatics
• Dates: December 2nd, 2024 - December 9th, 2024
• Location: Bern

Table of Contents

• Firewalls
• Intrusion Detection Systems
• Malicious Software
• Denial of Service Attacks
• The Onion Routing
• Securing BGP Inter-Domain Routing
• Scalability, Control, and Isolation on Next-Generation Networks
• NIST Zero-Trust Architecture

Firewalls

• Introduction
  • Important complement to host-based security services (like intrusion detection systems).
  • Typically placed between the internal network and the internet, creating a controlled link and an outer security wall.
  • Provides an additional layer of defense and isolates internal systems from external networks.
• Design Goals
  • All traffic in both directions must pass through the firewall. This is achieved by blocking all access to the local network except via the firewall.
  • Firewall itself must invulnerable to penetration, needing a hardened system with a secured operating system.
• Techniques
  • Service control: Determines inbound and outbound internet services accessible. Firewalls may filter traffic by IP address, protocol, or port number.
  • Direction control: Determines the direction of service requests flowing through the firewall.
  • User control: Controls access to a service based on the user attempting to access it (typically applied to local users).
• Capabilities
  • Defines a single choke point to prevent unauthorized users from entering/leaving the network.
  • Prohibits potentially vulnerable services.
  • Provides protection against various IP spoofing and routing attacks.
  • Consolidates security capabilities on a single system.
• Limitations
  • Cannot protect against attacks that bypass the firewall.
  • May not fully protect against internal threats (e.g., misbehaving employees).
  • An improperly secured wireless LAN can be accessed from outside the organization.
  • Mobile devices can be used to infect the internal network.
• General Model
  • Diagram showing internal (protected network) and external (untrusted network) with a firewall between them.
  • Types of firewalls discussed: Packet Filtering, Stateful Inspection, Application Proxy, and Circuit-level Proxy Firewalls.
• Packet Filtering Firewall
  • Filtering rules based on matching fields in the IP or TCP header (e.g., source/destination IP address, port number). Default: discard packets it does not match.

Firewalls (Cont.)

• Examples (Packet Filtering Example)
  • Rule sets for controlling inbound and outbound traffic (e.g., allowing or blocking traffic to/from a certain port number).
• Weaknesses
  • Doesn't analyze upper-layer data, making it vulnerable to specific application vulnerabilities.
  • Limited logging functionality with restricted log information.
• Attacks and Countermeasures
  • IP address spoofing: Discard packets with inside source addresses arriving on external interfaces.
  • Source routing attacks: Discard packets using this option.
  • Tiny fragment attacks: Enforce a rule that the first packet fragment contains a predefined minimum amount of transport header data. Discard all subsequent fragments if the first is rejected.

Intrusion Detection Systems

• Terms
  • Intrusion: Violations of security policy, including attempts to affect confidentiality, integrity, or availability.
  • Intrusion Detection: Process of collecting information about events in a computer system or network, analyzing them for intrusion signs.
  • Intrusion Detection System (IDS): Hardware or software that gathers/analyzes information to find and warn about unauthorized access attempts.
• Classification
  • Host-based IDS: Monitors a single host for suspicious activity and events.
  • Network-based IDS: Monitors network traffic for suspicious activity on particular network segments or devices.
• Components
  • Sensors: Collect data from the system (e.g., network packets, logs).
  • Analyzers: Process sensor data to determine if an intrusion occurred, giving actions as necessary.
  • User interface: Allows users to view alerts and system behavior.

Intrusion Detection Systems (Cont.)

• Misuse and Anomaly Detection
  • Misuse detection: Based on known attack patterns or signatures.
  • Anomaly detection: Looks for deviations from normal behavior.
• Behavior of Intruders and Authorized Users
  • Diagram showing different behavior profiles (normal and intruder) in a density function.
• Host-Based IDS
  • Adds a specialized security layer for vulnerable systems (like database servers).
  • Monitors system activity for suspicious behavior.
  • Can halt attacks before damage
  • Logs suspicious events and sends alerts.
• Network IDS
  • Monitors network traffic within particular segments.
• Network IDS Location
  • Outside main enterprise firewalls.
  • In the network DMZ (Demilitarized Zone).
  • Behind internal firewalls to monitor internal/external traffic.
• Network IDS Function
  • String signatures: Identify attack strings/text.
  • Port signatures: Watch for connection attempts to commonly attacked ports.
  • Header condition signatures: Analyze headers for unusual, suspicious patterns.

Malicious Software- Overview:

• Definition: Program covertly inserted into another program to destroy data, run harmful programs, or compromise confidentiality, integrity, or the availability of the data, applications, or operating system.
• Malware Types:
  • Virus
  • Worm
  • Trojan Horse
  • Spyware
  • Rootkit
  • Backdoor
  • Mobile code
  • Bot
• Malware Defense
  • Real-time/Near Real-time.
  • Network Traffic Analysis.
  • Payload Analysis.
  • Endpoint Behavior Analysis.
  • Incident Management and Forensics.

Denial-of-Service Attacks

• Overview: Attacks that make computer systems/networks inaccessible by flooding them with useless traffic.
• Direct DDoS Attack:
  • Attacker implants malicious software (zombie) on many sites across the internet to create master and slave networks for coordinated attacks against the target machine.
• Reflector DDoS Attack:
  • Slave zombies send packets to uninfected machines, known as reflectors. These machines respond with packets targeted back at the target machine.

BGP (Border Gateway Protocol)

• Overview: Used to exchange routing information between autonomous systems (ASs) on the internet.
• Messages: Has defined messages (OPEN, UPDATE, NOTIFICATION, KEEPALIVE, ROUTE-REFRESH) used in inter-system communication.
• Security: BGP is vulnerable to TCP threats (e.g., eavesdropping, spurious session resets, session capture, message alternation), and other threats (e.g., session hijacking, replay attacks, withholding traffic, and saturation attacks).
• BGP Issues: Verification of BGP identities, BGP information, and forwarding paths is crucial, but these are often insufficiently validated.
• BGP security requirements: BGP messages should contain cryptographic signatures; the order of the announced prefix in the advertisements must be correct.
• BGP Weaknesses: No mechanism for protecting the integrity/authenticity of BGP update messages.
• BGP Session Protection: Uses IPSec or TCP-based approaches for better security.
• Secure BGP: Implements digital signatures on the address and AS Path information contained in routing advertisements.

Scalability, Control, and Isolation on Next-Generation Networks

• Motivation: Aims to increase Internet availability, address outages and hijacking.
• Reasons for outages:
  • Protocols (e.g., BGP protocol).
  • Route changes and delays.
  • Misconfigurations.
  • Attacks (e.g., hijacking).
• SCION Network Availability:
  • The main issue in maintaining the security of network communications and preventing disruption.
  • Attack objectives can include disrupting routing systems, DDoS attacks, or address hijacking.
• SCION Limitations:
  • Frequent changes.
  • Slow convergence.
  • Vulnerability to attacks and misconfigurations.
  • Poor path predictability/reliability.

The Onion Routing

• Overview: Widely used anonymity network based on Onion Routing ideas. First released in 2002.
• Tunneling: Diagram illustrates the relay system used for secure communication in Onion Routing.
• TLS Tunneling: Shows step-by-step illustration of secure communication.

Zero Trust Architecture

• Motivation: An enterprise's cybersecurity plan. Response to trends such as remote users, Bring Your Own Device (BYOD), and cloud-based assets.
• Zero Trust Access: Subjects gaining access to enterprise resources must be authenticated, and requests validated by PDP/PEP.
• Logical Components: Diagram illustrates the control plane (Policy Engine, Policy Administrator, Policy Decision Point) and the data plane (System, Gateway, and Enterprise Resource).
• Deployment: Different models for ZTA, including device agent/gateway, enclave gateway, and resource portal, each illustrated by a diagram.
• Threats:
  • ZTA decision process issues
  • Denial of service, disruption.
  • Theft of credentials and insider threats.
  • Network visibility

SCION Overview:

• Control Plane: Responsible for finding and disseminating paths. Includes path exploration and registration functions.
• Data Plane: Responsible for how packets are sent. This includes path lookups and combination of segments.

SCION Problems and Issues:

• Weakest-link security issues
• Revocation problem
• Various schemes and trust issues
• Transparency problem
• Imbalance
• Misconfigurations
• Lack of Scalability

SCION Use Cases:

• SCION's use in the ETH domain, the secure Swiss financial network, and SWITCHlan SCION Access.

SCION Deployment:

• Core routers are set up at the borders of ISPs to collect customer access. 
• No changes to the network infrastructure needed.
• SCION IP gateway facilitates integration with existing networks.
• No end host or application upgrades are needed when implementing SCION.