CNET 1105 CH4 QUIZ

Questions and Answers

What is the main difference between a host-based firewall and a network-based firewall?

The level of security it provides

The operating system used

The number of computers it protects (correct)

The type of network it protects

What is the purpose of a Network Address Translation (NAT) Firewall?

To filter incoming network traffic

To provide extra security for web servers

To improve network communication speed

To hide or masquerade the private addresses of network hosts (correct)

Why should port-scanning not be done on public servers on the Internet or on a company network without permission?

Because it can be seen as a precursor to a network attack. (correct)

Because it can be used to identify the operating system and services running on a computer or host.

Because it can be used to identify open ports on a local home network.

Because it can be used to verify network security policies on the network.

How can you discover your public IP address to execute a port-scan of your network from outside of the network?

By using a search engine like Google with the query 'what is my ip address'.

What is the purpose of a port-scanning tool like Nmap in network security?

To verify network security policies on the network.

What is the primary function of a Virtual Private Network (VPN) server and client technology?

Secure encrypted tunneling

What is the primary goal of implementing access controls in security best practices?

To configure user roles and privilege levels

What is the primary way that a bot computer becomes infected?

Opening an infected email attachment

What is the primary goal of the reconnaissance stage in a kill chain?

To identify potential entry points and understand the target's security posture

What is the purpose of a honeypot in behavior-based detection?

To lure attackers in and capture their behavior

What is the primary mission of a Computer Security Incident Response Team (CSIRT)?

To help ensure company, system, and data preservation

What is the primary purpose of a security playbook?

To detect and respond to cybersecurity events through repeatable queries

What is the primary function of a SIEM system?

To collect and analyze security alerts, logs and other real-time and historical data from security devices on the network

What is the primary function of a DLP system?

To monitor and protect data in three different states

What is the feature of an Intrusion Prevention System (IPS) that distinguishes it from an IDS?

The ability to block or deny traffic based on a positive rule or signature match

Study Notes

Firewall Basics

• A firewall is a security system that controls incoming and outgoing network traffic based on predetermined security rules.
• Firewalls can be installed on a single computer (host-based) or as a standalone device to protect an entire network (network-based).

Types of Firewalls

• Network Layer Firewall: filters traffic based on source and destination IP addresses.
• Transport Layer Firewall: filters traffic based on source and destination data ports and connection states.
• Application Layer Firewall: filters traffic based on specific applications, programs, or services.
• Context Aware Application Firewall: filters traffic based on user, device, role, application type, and threat profile.

Proxy Servers

• Proxy Server: filters web content requests based on URL, domain, media, and other criteria.
• Reverse Proxy Server: placed in front of web servers, it protects, hides, offloads, and distributes access to web servers.

Other Firewall Types

• Network Address Translation (NAT) Firewall: hides or masquerades private addresses of network hosts.
• Host-based Firewall: filters ports and system service calls on a single computer operating system.

Port Scanning

• Port scanning is a process of probing a computer, server, or other network host for open ports.
• Each application running on a device is assigned an identifier called a port number, used to pass data to the correct application.
• Port scanning can be used maliciously to identify the operating system and services running on a computer or host, or harmlessly by a network administrator to verify network security policies.

Nmap Port Scanning

• Nmap is a port-scanning tool used to find all open ports on a network.
• To execute an Nmap port-scan, download and launch a program like Zenmap, provide the target IP address, choose a default scanning profile, and press scan.
• The Nmap scan will report any services that are running (e.g., web services, mail services, etc.) and port numbers.

Port Scanning Responses

• Scanning a port can result in one of three responses:
  • Open or Accepted: The host replied indicating a service is listening on the port.
  • Closed, Denied, or Not Listening: The host replied indicating that connections will be denied to the port.
  • Filtered, Dropped, or Blocked: There was no reply from the host.

External Port Scanning

• To execute a port-scan of a network from outside, initiate the scan from outside the network.
• This involves running an Nmap port-scan against the firewall or router's public IP address.
• To find the public IP address, use a search engine with the query "what is my ip address".

Online Port Scanning

• The Nmap Online Port Scanner can be used to run a port-scan for six common ports against a home router or firewall.
• Enter the public IP address in the input box and press Quick Nmap Scan.
• If the response is open for any of the ports (21, 22, 25, 80, 443, or 3389), it likely indicates port forwarding has been enabled on the router or firewall, and servers are running on the private network.

Security Appliances

• There is no single security appliance that can meet all network security needs, and a combination of appliances is required for effective security.

Types of Security Appliances

• Routers:
  • Have firewall capabilities besides routing functions
  • Examples: Cisco Integrated Services Router (ISR) routers
  • Features: traffic filtering, Intrusion Prevention System (IPS), encryption, and VPN capabilities
• Firewalls:
  • Have advanced network management and analytics capabilities
  • Examples: Cisco Next Generation Firewalls, Cisco Adaptive Security Appliance (ASA)
• IPS (Intrusion Prevention System) Devices:
  • Dedicated to intrusion prevention
  • Examples: Cisco Next Generation IPS devices
• VPN (Virtual Private Network) Devices:
  • Equipped with VPN server and client technologies
  • Designed for secure encrypted tunneling
• Malware/Antivirus:
  • Examples: Cisco Advanced Malware Protection (AMP)
  • Can be installed in: next-generation Cisco routers, firewalls, IPS devices, Web and Email Security Appliances, and host computers
• Other Security Devices:
  • Examples: web and email security appliances, decryption devices, client access control servers, and security management systems

Malware Defense

• Zero-day attacks and Advanced Persistent Threats (APTs) require robust defense strategies to prevent data theft.
• Enterprise-level advanced malware detection solutions provide real-time malware detection against evolving threats.
• Network administrators must monitor networks constantly for signs of malware or APT behavior.

Cisco Advanced Malware Protection (AMP) Threat Grid

• AMP analyzes millions of files and correlates them against hundreds of millions of malware artifacts for global threat insights.
• Provides a comprehensive view of malware attacks, campaigns, and distribution patterns.
• AMP is a client/server software that can be deployed on:
  • Host endpoints
  • Standalone servers
  • Network security devices
• The AMP Threat Grid offers enhanced protection against malware attacks.

Security Best Practices

• Perform risk assessments to determine the value of assets and justify security expenditures
• Create a security policy outlining company rules, job duties, and expectations
• Implement physical security measures, such as:
  • Restricting access to networking closets and server locations
  • Installing fire suppression systems
• Conduct thorough background checks on employees as part of human resource security measures
• Regularly perform and test backups to ensure data recovery
• Maintain up-to-date security patches and updates for:
  • Server operating systems
  • Client operating systems
  • Network device operating systems
  • Programs and applications
• Employ access controls, including:
  • Configuring user roles and privilege levels
  • Implementing strong user authentication
• Establish an incident response team and regularly test emergency response scenarios
• Implement a network monitoring, analytics, and management tool that integrates with other technologies
• Use next-generation security devices, including:
  • Routers
  • Firewalls
  • Other security appliances
• Implement a comprehensive endpoint security solution, featuring:
  • Enterprise-level antimalware and antivirus software
• Educate users and employees on secure procedures
• Encrypt all sensitive company data, including:
  • Email

Cybersecurity Resources

• National Institute of Standards and Technology (NIST) Computer Security Resource Center
• SANS Institute for cybersecurity training and certifications

Botnet Definition and Characteristics

• A botnet is a group of bots connected through the Internet, controlled by a malicious individual or group.
• Bot computers are typically infected through visiting a malicious website, opening an infected email attachment, or opening an infected media file.

Botnet Capabilities

• Can have tens of thousands to hundreds of thousands of bots.
• Bots can be activated to:
  • Distribute malware
  • Launch DDoS attacks
  • Distribute spam email
  • Execute brute force password attacks

Botnet Control and Rental

• Botnets are typically controlled through a command and control server.
• Cyber criminals often rent out botnets to third parties for nefarious purposes, for a fee.

Botnet Traffic Filter

• A botnet traffic filter is used to inform the worldwide security community of botnet locations.

Kill Chain

• A model used to describe the stages of a cyber attack, from initial reconnaissance to exfiltration of data.

Reconnaissance

• Gathering information about the target organization or individual.
• Identifying vulnerabilities, networks, systems, and personnel.
• Information gathering techniques include:
  • OSINT (Open-Source Intelligence): using publicly available information.
  • Social engineering: exploiting human behavior.
  • Network scanning: identifying open ports, services, and systems.
• Goals:
  • Identify potential entry points.
  • Understand the target's security posture.

Weaponization

• Creating or acquiring an exploit or malware.
• Customizing the exploit or malware for the target.
• Types of exploits include:
  • Zero-day exploits: previously unknown vulnerabilities.
  • Known exploits: publicly disclosed vulnerabilities.
  • Custom exploits: tailored to the target.
• Goals:
  • Develop a working exploit or malware.
  • Ensure the exploit or malware evades detection.

Delivery

• Transmitting the exploit or malware to the target.
• Methods include:
  • Phishing: social engineering via email or messaging.
  • Watering hole attack: compromising a website or network.
  • USB drop: infecting devices via USB drives.
  • Spear phishing: targeted email attacks.
• Goals:
  • Successfully deliver the exploit or malware.
  • Bypass security controls and perimeter defenses.

Installation

• Installing the malware or exploit on the target system.
• Establishing a foothold for further exploitation.
• Techniques include:
  • Code injection: inserting malicious code.
  • Privilege escalation: gaining elevated access.
  • Persistence: maintaining access despite system restarts.
• Goals:
  • Gain initial access to the target system.
  • Prepare for further exploitation and data exfiltration.

Behavior-Based Security

• A form of threat detection that doesn't rely on known malicious signatures
• Uses informational context to detect anomalies in the network

Behavior-Based Detection

• Involves capturing and analyzing the flow of communication between a user and a local/remote destination
• Reveals context and patterns of behavior to detect anomalies
• Can discover the presence of an attack by a change from normal behavior

Honeypots

• A behavior-based detection tool that lures attackers in by appealing to their predicted malicious behavior
• Allows administrators to capture, log, and analyze the attacker's behavior
• Enables administrators to gain more knowledge and build a better defense

Cisco's Cyber Threat Defense Solution Architecture

• A security architecture that uses behavior-based detection and indicators
• Provides greater visibility, context, and control
• Aims to answer who, what, where, when, and how an attack is taking place
• Utilizes many security technologies to achieve its goal

Computer Security Incident Response Team (CSIRT)

• Large organizations have a CSIRT to receive, review, and respond to computer security incident reports
• Primary mission of CSIRT is to ensure company, system, and data preservation by performing comprehensive investigations into computer security incidents

Proactive Services of CSIRT

• Provides proactive threat assessment to prevent security incidents
• Offers mitigation planning to minimize the impact of incidents
• Conducts incident trend analysis to identify patterns and potential threats
• Performs security architecture review to identify vulnerabilities

Collaboration and Partnerships

• Cisco CSIRT collaborates with multiple organizations, including:
  • Forum of Incident Response and Security Teams (FIRST)
  • National Safety Information Exchange (NSIE)
  • Defense Security Information Exchange (DSIE)
  • DNS Operations Analysis and Research Center (DNS-OARC)

National and Public CSIRT Organizations

• CERT Division of the Software Engineering Institute at Carnegie Mellon University is a national and public CSIRT organization
• Aims to help organizations and national CSIRTs develop, operate, and improve their incident management capabilities

Cybersecurity Concerns

• The constant evolution of technology means cyberattacks are also evolving, leading to new vulnerabilities and attack methods.
• Security breaches can have significant reputation and financial impacts on organizations.

Preparing for a Security Breach

• Organizations should have plans to prepare for, deal with, and recover from a breach.
• Preventing a breach is one of the best ways to prepare, through identifying cybersecurity risks, protecting systems with safeguards and personnel training, and detecting events as soon as possible.

Responding to a Security Breach

• When a breach is detected, take appropriate actions to minimize impact and damage.
• The response plan should be flexible with multiple action options during the breach.
• After containment and restoration, update security measures and processes to include lessons learned.

Security Playbook

• A security playbook is a collection of repeatable queries against security event data sources for incident detection and response.
• A security playbook should accomplish the following actions:
  • Detect malware-infected machines
  • Detect suspicious network activity
  • Detect irregular authentication attempts
  • Describe and understand inbound and outbound traffic
  • Provide summary information, including trends, statistics, and counts
  • Provide quick access to statistics and metrics
  • Correlate events across all relevant data sources

Security Tools

• SIEM (Security Information and Event Management) system collects and analyzes security alerts, logs, and real-time/historical data from security devices on the network.

Data Loss Prevention (DLP)

• DLP software/hardware is designed to prevent sensitive data theft/loss from a network.
• DLP systems focus on three data states:
  • Data in-use (client-focused)
  • Data in-motion (data traveling through the network)
  • Data at-rest (data storage)

Cisco ISE and TrustSec

• Cisco Identity Services Engine (ISE) enforces access to network resources through role-based access control policies.
• Cisco TrustSec segments access to the network (guests, mobile users, employees) without added complexity.
• Traffic classification is based on user or device identity.

Data Loss Prevention (DLP) Software

• Designed to prevent sensitive data from being stolen or escaping a network
• Monitors and controls various data-related activities, including:
  • File access authorization
  • Data exchange
  • Data copying
  • User activity monitoring

Data Protection States

• Data in-use: focuses on the client side, where data is being actively used or processed
• Data in-motion: refers to data as it travels through the network, during transmission
• Data at-rest: refers to data storage, where data is stored in a static state

Intrusion Detection System (IDS)

• An IDS is a device or tool that scans data against a database of rules or attack signatures to detect malicious traffic
• If a match is detected, the IDS logs the detection and creates an alert for a network administrator
• IDS does not take action when a match is detected, its job is to detect, log, and report
• Scanning performed by IDS can cause network latency
• To prevent network delay, IDS is usually placed offline, separate from regular network traffic
• Data is copied or mirrored by a switch and then forwarded to the IDS for offline detection
• IDS tools can also be installed on top of a host computer operating system, such as Linux or Windows

Intrusion Prevention System (IPS)

• An IPS has the ability to block or deny traffic based on a positive rule or signature match
• Well-known IPS/IDS systems include Snort and Cisco's Sourcefire
• Sourcefire can perform real-time traffic and port analysis, logging, content searching and matching
• Sourcefire can detect probes, attacks, and port scans
• Sourcefire integrates with other third-party tools for reporting, performance, and log analysis