Cybersecurity Threats and Protections Quiz

Questions and Answers

What type of network infrastructure is primarily used to monitor internal servers and database resources?

NIDS (correct)

LAN switch

Workstation

Router

Which of the following is NOT a common type of malware?

Rootkit

Trojan Horse

Firewall (correct)

Botnet

According to NIST SP 800-83, what is the primary purpose of malware?

To enhance system performance

To compromise the confidentiality, integrity, or availability of data (correct)

To improve user experience

To provide a secure communication channel

Which type of malware is designed to replicate itself and spread to other systems?

Worm (A)

Which of the following is NOT a common method of malware distribution?

Security updates (C)

What type of network infrastructure is commonly used to support user workstations within a single department?

LAN (A)

Which of the following is a type of malware that can be used to control a compromised system remotely?

Bot (A)

What is the primary difference between a virus and a worm?

A virus requires user interaction to spread, while a worm can spread independently. (A)

What is the primary purpose of a Host-Based IDS?

To detect intrusions and log suspicious events (A)

Which of the following methods can a Host-Based IDS use for detection?

Anomaly detection strategies (A)

How does a Network IDS capture network traffic?

By placing network interface cards in promiscuous mode (B)

What type of signatures might a Network IDS use to detect attacks?

String signatures (C)

Which type of intrusions can a Host-Based IDS detect?

Both external and internal intrusions (D)

Which ports are frequently attacked according to the provided information?

Port 21 (D)

What is a characteristic of packets considered to be of interest?

They match a specific signature (D)

Where is a Network Intrusion Detection System (NIDS) typically placed to monitor for penetration attempts?

Outside the enterprise firewall (C)

What combination of packet conditions is an example of a condition that should be monitored?

TCP segment with SYN and FIN bits set (B)

What is a key purpose of placing a NIDS in the DMZ of a network?

To monitor for penetration attempts targeting exposed services (D)

Which of the following is NOT true about dangerous packet combinations?

They only occur during network maintenance (B)

What role does an internal firewall play in network security?

To filter traffic between the LAN and outgoing connections (B)

Which of these ports is NOT listed as frequently attacked?

Port 25 (B)

What is the main assumption of Zero Trust regarding trust levels for users and assets?

Implicit trust is not granted based solely on location or ownership. (C)

What does Zero Trust Architecture (ZTA) aim to protect?

Resources like services and workflows. (A)

Which components are included in Zero Trust Access (ZTA)?

Policy Decision Point and Policy Enforcement Point. (D)

What must the system validate before granting access to an enterprise resource?

The authenticity of the subject and validity of the request. (C)

Which deployment model is NOT mentioned in the ZTA deployment types?

Network Segment Model. (B)

What is the focus of attack prevention mechanisms in DDoS countermeasures?

Modifying systems and protocols to reduce DDoS risks (B)

What is a potential threat to Zero Trust Architecture?

Use of Non-person Entities in ZTA Administration. (C)

What primarily occurs during a direct DDoS attack?

A victim's resources are overwhelmed directly by incoming traffic (C)

What is the role of the Policy Enforcement Point (PEP)?

To pass judgment on access requests. (B)

What is the primary goal of a Denial-of-Service (DoS) attack?

To make services unavailable to legitimate users (A)

What is a characteristic of reflector DDoS attacks?

They utilize other systems to amplify the attack (A)

What is one common misconception about Zero Trust concerning user accounts?

User accounts need no validation for access. (A)

How does a typical Distributed Denial-of-Service (DDoS) attack operate?

Via numerous compromised hosts sending useless packets (C)

Which of the following is a method of attack detection during a DDoS attack?

Looking for suspicious patterns of behavior (A)

What was the main purpose of the first release of Onion Routing in 2002?

To provide anonymity for users and servers (C)

What characterizes a Distributed SYN Flood attack?

It involves multiple slave servers sending SYN packets. (A)

How does TLS tunneling enhance Onion Routing's effectiveness?

By providing encryption for data in transit (B)

What happens when a server experiences a DoS attack?

Server resources become flooded with useless traffic. (A)

Which of the following best describes the impact of a DoS attack on users?

Users are completely blocked from accessing the service. (B)

What is a limitation of attack source traceback in DDoS countermeasures?

It often yields results too slowly to mitigate ongoing attacks (C)

Which aspect of the Onion Routing framework helps mitigate against side channel attacks?

Use of a customized browser (C)

What distinguishes a DDoS attack from a standard DoS attack?

DDoS attacks involve multiple sources of attack traffic. (B)

In the context of network security, what primarily makes an attack 'distributed'?

The attack originates from multiple locations or devices. (B)

When a DDoS attack is successful, what is an immediate effect on the targeted web server?

The server may become inaccessible to users due to overload. (C)

Study Notes

Network Security

• XII: Network Endpoint Security
• Presented by Prof. Dr. Torsten Braun, Institute for Informatics
• Dates: December 2nd, 2024 - December 9th, 2024
• Location: Bern

Table of Contents

• Firewalls
• Intrusion Detection Systems
• Malicious Software
• Denial of Service Attacks
• The Onion Routing
• Securing BGP Inter-Domain Routing
• Scalability, Control, and Isolation on Next-Generation Networks
• NIST Zero-Trust Architecture

Firewalls

• Introduction
  • Important complement to host-based security services (like intrusion detection systems).
  • Typically placed between the internal network and the internet, creating a controlled link and an outer security wall.
  • Provides an additional layer of defense and isolates internal systems from external networks.
• Design Goals
  • All traffic in both directions must pass through the firewall. This is achieved by blocking all access to the local network except via the firewall.
  • Firewall itself must invulnerable to penetration, needing a hardened system with a secured operating system.
• Techniques
  • Service control: Determines inbound and outbound internet services accessible. Firewalls may filter traffic by IP address, protocol, or port number.
  • Direction control: Determines the direction of service requests flowing through the firewall.
  • User control: Controls access to a service based on the user attempting to access it (typically applied to local users).
• Capabilities
  • Defines a single choke point to prevent unauthorized users from entering/leaving the network.
  • Prohibits potentially vulnerable services.
  • Provides protection against various IP spoofing and routing attacks.
  • Consolidates security capabilities on a single system.
• Limitations
  • Cannot protect against attacks that bypass the firewall.
  • May not fully protect against internal threats (e.g., misbehaving employees).
  • An improperly secured wireless LAN can be accessed from outside the organization.
  • Mobile devices can be used to infect the internal network.
• General Model
  • Diagram showing internal (protected network) and external (untrusted network) with a firewall between them.
  • Types of firewalls discussed: Packet Filtering, Stateful Inspection, Application Proxy, and Circuit-level Proxy Firewalls.
• Packet Filtering Firewall
  • Filtering rules based on matching fields in the IP or TCP header (e.g., source/destination IP address, port number). Default: discard packets it does not match.

Firewalls (Cont.)

• Examples (Packet Filtering Example)
  • Rule sets for controlling inbound and outbound traffic (e.g., allowing or blocking traffic to/from a certain port number).
• Weaknesses
  • Doesn't analyze upper-layer data, making it vulnerable to specific application vulnerabilities.
  • Limited logging functionality with restricted log information.
• Attacks and Countermeasures
  • IP address spoofing: Discard packets with inside source addresses arriving on external interfaces.
  • Source routing attacks: Discard packets using this option.
  • Tiny fragment attacks: Enforce a rule that the first packet fragment contains a predefined minimum amount of transport header data. Discard all subsequent fragments if the first is rejected.

Intrusion Detection Systems

• Terms
  • Intrusion: Violations of security policy, including attempts to affect confidentiality, integrity, or availability.
  • Intrusion Detection: Process of collecting information about events in a computer system or network, analyzing them for intrusion signs.
  • Intrusion Detection System (IDS): Hardware or software that gathers/analyzes information to find and warn about unauthorized access attempts.
• Classification
  • Host-based IDS: Monitors a single host for suspicious activity and events.
  • Network-based IDS: Monitors network traffic for suspicious activity on particular network segments or devices.
• Components
  • Sensors: Collect data from the system (e.g., network packets, logs).
  • Analyzers: Process sensor data to determine if an intrusion occurred, giving actions as necessary.
  • User interface: Allows users to view alerts and system behavior.

Intrusion Detection Systems (Cont.)

• Misuse and Anomaly Detection
  • Misuse detection: Based on known attack patterns or signatures.
  • Anomaly detection: Looks for deviations from normal behavior.
• Behavior of Intruders and Authorized Users
  • Diagram showing different behavior profiles (normal and intruder) in a density function.
• Host-Based IDS
  • Adds a specialized security layer for vulnerable systems (like database servers).
  • Monitors system activity for suspicious behavior.
  • Can halt attacks before damage
  • Logs suspicious events and sends alerts.
• Network IDS
  • Monitors network traffic within particular segments.
• Network IDS Location
  • Outside main enterprise firewalls.
  • In the network DMZ (Demilitarized Zone).
  • Behind internal firewalls to monitor internal/external traffic.
• Network IDS Function
  • String signatures: Identify attack strings/text.
  • Port signatures: Watch for connection attempts to commonly attacked ports.
  • Header condition signatures: Analyze headers for unusual, suspicious patterns.

Malicious Software- Overview:

• Definition: Program covertly inserted into another program to destroy data, run harmful programs, or compromise confidentiality, integrity, or the availability of the data, applications, or operating system.
• Malware Types:
  • Virus
  • Worm
  • Trojan Horse
  • Spyware
  • Rootkit
  • Backdoor
  • Mobile code
  • Bot
• Malware Defense
  • Real-time/Near Real-time.
  • Network Traffic Analysis.
  • Payload Analysis.
  • Endpoint Behavior Analysis.
  • Incident Management and Forensics.

Denial-of-Service Attacks

• Overview: Attacks that make computer systems/networks inaccessible by flooding them with useless traffic.
• Direct DDoS Attack:
  • Attacker implants malicious software (zombie) on many sites across the internet to create master and slave networks for coordinated attacks against the target machine.
• Reflector DDoS Attack:
  • Slave zombies send packets to uninfected machines, known as reflectors. These machines respond with packets targeted back at the target machine.

BGP (Border Gateway Protocol)

• Overview: Used to exchange routing information between autonomous systems (ASs) on the internet.
• Messages: Has defined messages (OPEN, UPDATE, NOTIFICATION, KEEPALIVE, ROUTE-REFRESH) used in inter-system communication.
• Security: BGP is vulnerable to TCP threats (e.g., eavesdropping, spurious session resets, session capture, message alternation), and other threats (e.g., session hijacking, replay attacks, withholding traffic, and saturation attacks).
• BGP Issues: Verification of BGP identities, BGP information, and forwarding paths is crucial, but these are often insufficiently validated.
• BGP security requirements: BGP messages should contain cryptographic signatures; the order of the announced prefix in the advertisements must be correct.
• BGP Weaknesses: No mechanism for protecting the integrity/authenticity of BGP update messages.
• BGP Session Protection: Uses IPSec or TCP-based approaches for better security.
• Secure BGP: Implements digital signatures on the address and AS Path information contained in routing advertisements.

Scalability, Control, and Isolation on Next-Generation Networks

• Motivation: Aims to increase Internet availability, address outages and hijacking.
• Reasons for outages:
  • Protocols (e.g., BGP protocol).
  • Route changes and delays.
  • Misconfigurations.
  • Attacks (e.g., hijacking).
• SCION Network Availability:
  • The main issue in maintaining the security of network communications and preventing disruption.
  • Attack objectives can include disrupting routing systems, DDoS attacks, or address hijacking.
• SCION Limitations:
  • Frequent changes.
  • Slow convergence.
  • Vulnerability to attacks and misconfigurations.
  • Poor path predictability/reliability.

The Onion Routing

• Overview: Widely used anonymity network based on Onion Routing ideas. First released in 2002.
• Tunneling: Diagram illustrates the relay system used for secure communication in Onion Routing.
• TLS Tunneling: Shows step-by-step illustration of secure communication.

Zero Trust Architecture

• Motivation: An enterprise's cybersecurity plan. Response to trends such as remote users, Bring Your Own Device (BYOD), and cloud-based assets.
• Zero Trust Access: Subjects gaining access to enterprise resources must be authenticated, and requests validated by PDP/PEP.
• Logical Components: Diagram illustrates the control plane (Policy Engine, Policy Administrator, Policy Decision Point) and the data plane (System, Gateway, and Enterprise Resource).
• Deployment: Different models for ZTA, including device agent/gateway, enclave gateway, and resource portal, each illustrated by a diagram.
• Threats:
  • ZTA decision process issues
  • Denial of service, disruption.
  • Theft of credentials and insider threats.
  • Network visibility

SCION Overview:

• Control Plane: Responsible for finding and disseminating paths. Includes path exploration and registration functions.
• Data Plane: Responsible for how packets are sent. This includes path lookups and combination of segments.

SCION Problems and Issues:

• Weakest-link security issues
• Revocation problem
• Various schemes and trust issues
• Transparency problem
• Imbalance
• Misconfigurations
• Lack of Scalability

SCION Use Cases:

• SCION's use in the ETH domain, the secure Swiss financial network, and SWITCHlan SCION Access.

SCION Deployment:

• Core routers are set up at the borders of ISPs to collect customer access. 
• No changes to the network infrastructure needed.
• SCION IP gateway facilitates integration with existing networks.
• No end host or application upgrades are needed when implementing SCION.

Description

Test your knowledge on cybersecurity concepts, including types of malware, intrusion detection systems, and network infrastructure. This quiz covers various aspects of protecting internal servers and understanding common vulnerabilities in systems. Perfect for students and professionals involved in IT security.