CNET 1105 CH4 QUIZ
15 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the main difference between a host-based firewall and a network-based firewall?

  • The level of security it provides
  • The operating system used
  • The number of computers it protects (correct)
  • The type of network it protects
  • What is the purpose of a Network Address Translation (NAT) Firewall?

  • To filter incoming network traffic
  • To provide extra security for web servers
  • To improve network communication speed
  • To hide or masquerade the private addresses of network hosts (correct)
  • Why should port-scanning not be done on public servers on the Internet or on a company network without permission?

  • Because it can be seen as a precursor to a network attack. (correct)
  • Because it can be used to identify the operating system and services running on a computer or host.
  • Because it can be used to identify open ports on a local home network.
  • Because it can be used to verify network security policies on the network.
  • How can you discover your public IP address to execute a port-scan of your network from outside of the network?

    <p>By using a search engine like Google with the query 'what is my ip address'.</p> Signup and view all the answers

    What is the purpose of a port-scanning tool like Nmap in network security?

    <p>To verify network security policies on the network.</p> Signup and view all the answers

    What is the primary function of a Virtual Private Network (VPN) server and client technology?

    <p>Secure encrypted tunneling</p> Signup and view all the answers

    What is the primary goal of implementing access controls in security best practices?

    <p>To configure user roles and privilege levels</p> Signup and view all the answers

    What is the primary way that a bot computer becomes infected?

    <p>Opening an infected email attachment</p> Signup and view all the answers

    What is the primary goal of the reconnaissance stage in a kill chain?

    <p>To identify potential entry points and understand the target's security posture</p> Signup and view all the answers

    What is the purpose of a honeypot in behavior-based detection?

    <p>To lure attackers in and capture their behavior</p> Signup and view all the answers

    What is the primary mission of a Computer Security Incident Response Team (CSIRT)?

    <p>To help ensure company, system, and data preservation</p> Signup and view all the answers

    What is the primary purpose of a security playbook?

    <p>To detect and respond to cybersecurity events through repeatable queries</p> Signup and view all the answers

    What is the primary function of a SIEM system?

    <p>To collect and analyze security alerts, logs and other real-time and historical data from security devices on the network</p> Signup and view all the answers

    What is the primary function of a DLP system?

    <p>To monitor and protect data in three different states</p> Signup and view all the answers

    What is the feature of an Intrusion Prevention System (IPS) that distinguishes it from an IDS?

    <p>The ability to block or deny traffic based on a positive rule or signature match</p> Signup and view all the answers

    Study Notes

    Firewall Basics

    • A firewall is a security system that controls incoming and outgoing network traffic based on predetermined security rules.
    • Firewalls can be installed on a single computer (host-based) or as a standalone device to protect an entire network (network-based).

    Types of Firewalls

    • Network Layer Firewall: filters traffic based on source and destination IP addresses.
    • Transport Layer Firewall: filters traffic based on source and destination data ports and connection states.
    • Application Layer Firewall: filters traffic based on specific applications, programs, or services.
    • Context Aware Application Firewall: filters traffic based on user, device, role, application type, and threat profile.

    Proxy Servers

    • Proxy Server: filters web content requests based on URL, domain, media, and other criteria.
    • Reverse Proxy Server: placed in front of web servers, it protects, hides, offloads, and distributes access to web servers.

    Other Firewall Types

    • Network Address Translation (NAT) Firewall: hides or masquerades private addresses of network hosts.
    • Host-based Firewall: filters ports and system service calls on a single computer operating system.

    Port Scanning

    • Port scanning is a process of probing a computer, server, or other network host for open ports.
    • Each application running on a device is assigned an identifier called a port number, used to pass data to the correct application.
    • Port scanning can be used maliciously to identify the operating system and services running on a computer or host, or harmlessly by a network administrator to verify network security policies.

    Nmap Port Scanning

    • Nmap is a port-scanning tool used to find all open ports on a network.
    • To execute an Nmap port-scan, download and launch a program like Zenmap, provide the target IP address, choose a default scanning profile, and press scan.
    • The Nmap scan will report any services that are running (e.g., web services, mail services, etc.) and port numbers.

    Port Scanning Responses

    • Scanning a port can result in one of three responses:
      • Open or Accepted: The host replied indicating a service is listening on the port.
      • Closed, Denied, or Not Listening: The host replied indicating that connections will be denied to the port.
      • Filtered, Dropped, or Blocked: There was no reply from the host.

    External Port Scanning

    • To execute a port-scan of a network from outside, initiate the scan from outside the network.
    • This involves running an Nmap port-scan against the firewall or router's public IP address.
    • To find the public IP address, use a search engine with the query "what is my ip address".

    Online Port Scanning

    • The Nmap Online Port Scanner can be used to run a port-scan for six common ports against a home router or firewall.
    • Enter the public IP address in the input box and press Quick Nmap Scan.
    • If the response is open for any of the ports (21, 22, 25, 80, 443, or 3389), it likely indicates port forwarding has been enabled on the router or firewall, and servers are running on the private network.

    Security Appliances

    • There is no single security appliance that can meet all network security needs, and a combination of appliances is required for effective security.

    Types of Security Appliances

    • Routers:
      • Have firewall capabilities besides routing functions
      • Examples: Cisco Integrated Services Router (ISR) routers
      • Features: traffic filtering, Intrusion Prevention System (IPS), encryption, and VPN capabilities
    • Firewalls:
      • Have advanced network management and analytics capabilities
      • Examples: Cisco Next Generation Firewalls, Cisco Adaptive Security Appliance (ASA)
    • IPS (Intrusion Prevention System) Devices:
      • Dedicated to intrusion prevention
      • Examples: Cisco Next Generation IPS devices
    • VPN (Virtual Private Network) Devices:
      • Equipped with VPN server and client technologies
      • Designed for secure encrypted tunneling
    • Malware/Antivirus:
      • Examples: Cisco Advanced Malware Protection (AMP)
      • Can be installed in: next-generation Cisco routers, firewalls, IPS devices, Web and Email Security Appliances, and host computers
    • Other Security Devices:
      • Examples: web and email security appliances, decryption devices, client access control servers, and security management systems

    Malware Defense

    • Zero-day attacks and Advanced Persistent Threats (APTs) require robust defense strategies to prevent data theft.
    • Enterprise-level advanced malware detection solutions provide real-time malware detection against evolving threats.
    • Network administrators must monitor networks constantly for signs of malware or APT behavior.

    Cisco Advanced Malware Protection (AMP) Threat Grid

    • AMP analyzes millions of files and correlates them against hundreds of millions of malware artifacts for global threat insights.
    • Provides a comprehensive view of malware attacks, campaigns, and distribution patterns.
    • AMP is a client/server software that can be deployed on:
      • Host endpoints
      • Standalone servers
      • Network security devices
    • The AMP Threat Grid offers enhanced protection against malware attacks.

    Security Best Practices

    • Perform risk assessments to determine the value of assets and justify security expenditures
    • Create a security policy outlining company rules, job duties, and expectations
    • Implement physical security measures, such as:
      • Restricting access to networking closets and server locations
      • Installing fire suppression systems
    • Conduct thorough background checks on employees as part of human resource security measures
    • Regularly perform and test backups to ensure data recovery
    • Maintain up-to-date security patches and updates for:
      • Server operating systems
      • Client operating systems
      • Network device operating systems
      • Programs and applications
    • Employ access controls, including:
      • Configuring user roles and privilege levels
      • Implementing strong user authentication
    • Establish an incident response team and regularly test emergency response scenarios
    • Implement a network monitoring, analytics, and management tool that integrates with other technologies
    • Use next-generation security devices, including:
      • Routers
      • Firewalls
      • Other security appliances
    • Implement a comprehensive endpoint security solution, featuring:
      • Enterprise-level antimalware and antivirus software
    • Educate users and employees on secure procedures
    • Encrypt all sensitive company data, including:
      • Email

    Cybersecurity Resources

    • National Institute of Standards and Technology (NIST) Computer Security Resource Center
    • SANS Institute for cybersecurity training and certifications

    Botnet Definition and Characteristics

    • A botnet is a group of bots connected through the Internet, controlled by a malicious individual or group.
    • Bot computers are typically infected through visiting a malicious website, opening an infected email attachment, or opening an infected media file.

    Botnet Capabilities

    • Can have tens of thousands to hundreds of thousands of bots.
    • Bots can be activated to:
      • Distribute malware
      • Launch DDoS attacks
      • Distribute spam email
      • Execute brute force password attacks

    Botnet Control and Rental

    • Botnets are typically controlled through a command and control server.
    • Cyber criminals often rent out botnets to third parties for nefarious purposes, for a fee.

    Botnet Traffic Filter

    • A botnet traffic filter is used to inform the worldwide security community of botnet locations.

    Kill Chain

    • A model used to describe the stages of a cyber attack, from initial reconnaissance to exfiltration of data.

    Reconnaissance

    • Gathering information about the target organization or individual.
    • Identifying vulnerabilities, networks, systems, and personnel.
    • Information gathering techniques include:
      • OSINT (Open-Source Intelligence): using publicly available information.
      • Social engineering: exploiting human behavior.
      • Network scanning: identifying open ports, services, and systems.
    • Goals:
      • Identify potential entry points.
      • Understand the target's security posture.

    Weaponization

    • Creating or acquiring an exploit or malware.
    • Customizing the exploit or malware for the target.
    • Types of exploits include:
      • Zero-day exploits: previously unknown vulnerabilities.
      • Known exploits: publicly disclosed vulnerabilities.
      • Custom exploits: tailored to the target.
    • Goals:
      • Develop a working exploit or malware.
      • Ensure the exploit or malware evades detection.

    Delivery

    • Transmitting the exploit or malware to the target.
    • Methods include:
      • Phishing: social engineering via email or messaging.
      • Watering hole attack: compromising a website or network.
      • USB drop: infecting devices via USB drives.
      • Spear phishing: targeted email attacks.
    • Goals:
      • Successfully deliver the exploit or malware.
      • Bypass security controls and perimeter defenses.

    Installation

    • Installing the malware or exploit on the target system.
    • Establishing a foothold for further exploitation.
    • Techniques include:
      • Code injection: inserting malicious code.
      • Privilege escalation: gaining elevated access.
      • Persistence: maintaining access despite system restarts.
    • Goals:
      • Gain initial access to the target system.
      • Prepare for further exploitation and data exfiltration.

    Behavior-Based Security

    • A form of threat detection that doesn't rely on known malicious signatures
    • Uses informational context to detect anomalies in the network

    Behavior-Based Detection

    • Involves capturing and analyzing the flow of communication between a user and a local/remote destination
    • Reveals context and patterns of behavior to detect anomalies
    • Can discover the presence of an attack by a change from normal behavior

    Honeypots

    • A behavior-based detection tool that lures attackers in by appealing to their predicted malicious behavior
    • Allows administrators to capture, log, and analyze the attacker's behavior
    • Enables administrators to gain more knowledge and build a better defense

    Cisco's Cyber Threat Defense Solution Architecture

    • A security architecture that uses behavior-based detection and indicators
    • Provides greater visibility, context, and control
    • Aims to answer who, what, where, when, and how an attack is taking place
    • Utilizes many security technologies to achieve its goal

    Computer Security Incident Response Team (CSIRT)

    • Large organizations have a CSIRT to receive, review, and respond to computer security incident reports
    • Primary mission of CSIRT is to ensure company, system, and data preservation by performing comprehensive investigations into computer security incidents

    Proactive Services of CSIRT

    • Provides proactive threat assessment to prevent security incidents
    • Offers mitigation planning to minimize the impact of incidents
    • Conducts incident trend analysis to identify patterns and potential threats
    • Performs security architecture review to identify vulnerabilities

    Collaboration and Partnerships

    • Cisco CSIRT collaborates with multiple organizations, including:
      • Forum of Incident Response and Security Teams (FIRST)
      • National Safety Information Exchange (NSIE)
      • Defense Security Information Exchange (DSIE)
      • DNS Operations Analysis and Research Center (DNS-OARC)

    National and Public CSIRT Organizations

    • CERT Division of the Software Engineering Institute at Carnegie Mellon University is a national and public CSIRT organization
    • Aims to help organizations and national CSIRTs develop, operate, and improve their incident management capabilities

    Cybersecurity Concerns

    • The constant evolution of technology means cyberattacks are also evolving, leading to new vulnerabilities and attack methods.
    • Security breaches can have significant reputation and financial impacts on organizations.

    Preparing for a Security Breach

    • Organizations should have plans to prepare for, deal with, and recover from a breach.
    • Preventing a breach is one of the best ways to prepare, through identifying cybersecurity risks, protecting systems with safeguards and personnel training, and detecting events as soon as possible.

    Responding to a Security Breach

    • When a breach is detected, take appropriate actions to minimize impact and damage.
    • The response plan should be flexible with multiple action options during the breach.
    • After containment and restoration, update security measures and processes to include lessons learned.

    Security Playbook

    • A security playbook is a collection of repeatable queries against security event data sources for incident detection and response.
    • A security playbook should accomplish the following actions:
      • Detect malware-infected machines
      • Detect suspicious network activity
      • Detect irregular authentication attempts
      • Describe and understand inbound and outbound traffic
      • Provide summary information, including trends, statistics, and counts
      • Provide quick access to statistics and metrics
      • Correlate events across all relevant data sources

    Security Tools

    • SIEM (Security Information and Event Management) system collects and analyzes security alerts, logs, and real-time/historical data from security devices on the network.

    Data Loss Prevention (DLP)

    • DLP software/hardware is designed to prevent sensitive data theft/loss from a network.
    • DLP systems focus on three data states:
      • Data in-use (client-focused)
      • Data in-motion (data traveling through the network)
      • Data at-rest (data storage)

    Cisco ISE and TrustSec

    • Cisco Identity Services Engine (ISE) enforces access to network resources through role-based access control policies.
    • Cisco TrustSec segments access to the network (guests, mobile users, employees) without added complexity.
    • Traffic classification is based on user or device identity.

    Data Loss Prevention (DLP) Software

    • Designed to prevent sensitive data from being stolen or escaping a network
    • Monitors and controls various data-related activities, including:
      • File access authorization
      • Data exchange
      • Data copying
      • User activity monitoring

    Data Protection States

    • Data in-use: focuses on the client side, where data is being actively used or processed
    • Data in-motion: refers to data as it travels through the network, during transmission
    • Data at-rest: refers to data storage, where data is stored in a static state

    Intrusion Detection System (IDS)

    • An IDS is a device or tool that scans data against a database of rules or attack signatures to detect malicious traffic
    • If a match is detected, the IDS logs the detection and creates an alert for a network administrator
    • IDS does not take action when a match is detected, its job is to detect, log, and report
    • Scanning performed by IDS can cause network latency
    • To prevent network delay, IDS is usually placed offline, separate from regular network traffic
    • Data is copied or mirrored by a switch and then forwarded to the IDS for offline detection
    • IDS tools can also be installed on top of a host computer operating system, such as Linux or Windows

    Intrusion Prevention System (IPS)

    • An IPS has the ability to block or deny traffic based on a positive rule or signature match
    • Well-known IPS/IDS systems include Snort and Cisco's Sourcefire
    • Sourcefire can perform real-time traffic and port analysis, logging, content searching and matching
    • Sourcefire can detect probes, attacks, and port scans
    • Sourcefire integrates with other third-party tools for reporting, performance, and log analysis

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    More Like This

    Use Quizgecko on...
    Browser
    Browser