IP Protocol and Vulnerabilities

Questions and Answers

At which layer does the IP protocol primarily operate, and what type of protocol is it?

• Layer 4; connectionless
• Layer 2; connectionless
• Layer 4; connection-oriented
• Layer 3; connectionless (correct)

Which of the following is a key characteristic of IP address spoofing?

• Validating the source IP address to ensure authenticity
• Preventing threat actors from manipulating IP header fields
• Encrypting IP header fields to prevent tampering
• Lacking validation of the source IP address, allowing manipulation of IP headers (correct)

What is the primary purpose of using Wireshark in the context of IPv4 headers?

• To examine IPv4 headers and identify fields such as source IP address and TTL (correct)
• To modify IPv4 header fields for network optimization
• To encrypt IPv4 headers for secure transmission
• To validate the authenticity of the source IP address

What value is the 4-bit version field set to in the IPv6 header?

0110 (B)

Which of the following attacks is least likely to target IP vulnerabilities directly?

SQL Injection (D)

What is the primary use of ICMP attacks by threat actors?

To conduct reconnaissance, scanning, DoS, and DDoS attacks (C)

What is the main goal of amplification and reflection attacks?

To create and intensify DoS attacks (A)

What is the primary purpose of creating packets with false source IP addresses in address spoofing attacks?

To hide the sender's identity or pose as a legitimate user (A)

Which of the following is MOST likely a consequence of UDP flood attacks?

Network resource consumption (B)

What is the purpose of an unsolicited ARP Reply, also known as a 'gratuitous ARP'?

To announce or update a host's MAC address to the network (B)

In the context of ARP poisoning, what is the main difference between active and passive ARP poisoning?

Active ARP poisoning involves modifying or injecting malicious data, while passive ARP poisoning involves stealing confidential information. (D)

Why are DNS open resolvers vulnerable to malicious activities?

They answer queries from clients outside their administrative domain, making them susceptible to DNS amplification attacks. (B)

What is the primary goal of DNS resource utilization attacks (DoS)?

To consume all available resources using the IP address of a target host (C)

How do threat actors typically use domain generation algorithms (DGAs) in malware?

To randomly generate domain names as rendezvous points for command and control servers (D)

Which method is most effective in stopping DNS tunneling?

By using a filter that inspects DNS traffic for longer than average queries or suspicious domain names (C)

What is a typical characteristic of a web attack?

A victim visiting a compromised web page and being redirected to a site with malicious code (C)

Why are HTML emails considered a threat?

They bypass security layers and allow more attacks like phishing and malware. (B)

What is the primary role of a security appliance specific to email, such as the Cisco Email Security Appliance?

To detect and block known threats in email traffic (D)

What is the main security concern with web-exposed databases?

They connect to relational databases to access sensitive data, which can be vulnerable to attacks. (D)

What is cross-site scripting (XSS)?

A type of attack where web pages executed on the client-side are injected with malicious scripts (D)

What is the key difference between stored (persistent) XSS and reflected (non-persistent) XSS?

Stored XSS is permanently stored on the infected server, while reflected XSS requires a malicious script in a link. (C)

What is a critical step in network attack mitigation?

Constant vigilance, ongoing education, and a written security policy (B)

Which of the following strategies is MOST effective for mitigating malware?

Using antivirus software and security devices at the network perimeter (B)

What is a recommended approach for mitigating reconnaissance attacks?

Implementing authentication, encryption, anti-sniffer tools, and a firewall (B)

What is a key strategy for mitigating access attacks?

Employing strong password security, the principle of minimum trust, and cryptography (C)

Which of the following is typically used to mitigate DoS attacks?

Using network utilization software and anti-spoofing technologies (C)

What is the purpose of fencing and physical barriers in system and network defense?

To prevent unauthorized physical access (D)

When selecting biometric systems for authentication, what is an important factor to consider?

Accuracy, speed, acceptability to users, and resistance to counterfeiting (B)

What is the role of RFID asset tags in physical security?

To manage and locate important information system assets (A)

What is a key aspect of application security?

Following a robust process that includes developing and testing, staging, and production (C)

What is the purpose of input validation in application security?

To control the data input process to maintain database integrity (B)

What do validation rules check in the context of application security?

They check that data falls within defined parameters, including size, format, and consistency (D)

What is the purpose of integrity checks in application security?

To use hash functions and checksums to measure the consistency of data (C)

What is a best practice for network hardening regarding services and protocols?

Using a port scanner to detect open ports and remove insecure network services (D)

How can you enhance DHCP security on a network?

By physically securing the DHCP server, applying software patches, and locating it behind a firewall (B)

What action should be taken regarding zone transfers and dynamic updates to protect DNS?

Disable or restrict zone transfers and dynamic updates as much as possible (D)

What measure provides strong encryption for managing connections?

SSH (B)

Instead of SNMPv3 what should be used, as it uses cryptography to prevent eavesdropping and data tampering?

SNMP (C)

Which security model should be implemented to protect a network?

Zero Trust (A)

Flashcards

IP Protocol

Layer 3 protocol for delivering packets without tracking packet flow, TCP handles this at Layer 4.

IP Address Spoofing

Sending packets with false source IP addresses to disguise the sender's identity.

IP Vulnerabilities

Different attacks can target IP, including ICMP attacks, DoS attacks and address spoofing attacks.

ICMP Attacks

Using ICMP for reconnaissance, scanning, DoS, and DDoS attacks. ICMP router discovery can inject bogus route entries.

Address Spoofing Attacks

Creating packets with false source IP addresses to hide identity.

UDP Flood Attacks

Consuming network resources by flooding UDP packets, often from a spoofed host.

ARP Vulnerabilities

Exploiting hosts broadcasting ARP Requests to determine MAC addresses often leading to unsolicited ARP Reply.

ARP Poisoning

Manipulating the ARP cache to create MiTM attacks, redirecting traffic.

DNS Attacks

Open resolvers answering queries from outside their administrative domain, making them vulnerable.

Domain Generation Algorithms

Employing malware to randomly create domain names for C&C servers.

DNS Tunneling

Stopping DNS tunneling by inspecting DNS traffic, looking for long queries or suspicious names.

Web Attacks

A victim visits a compromised web page, gets redirected, and an exploit kit scans for vulnerabilities.

Email Threats Mitigation

Using a security appliance to detect and block known email threats like phishing and spam.

Cross-Site Scripting (XSS)

Occurs when web pages executed client-side are injected with malicious scripts.

Network Attack Mitigation

Constant vigilance, employee education, and strong security policies.

Mitigating Malware

Using antivirus software and devices at the network perimeter to identify and remove malware.

Mitigating Reconnaissance Attacks

Authentication, encryption, anti-sniffer tools, a switched infrastructure, firewall and IPS.

Mitigating Access Attacks

Strong passwords, minimum trust, cryptography, and patching.

Mitigating DoS Attacks

Using network utilization software and anti-spoofing technologies.

Fencing and Physical Barriers

Fences, security gates, bollards, vehicle entry barriers, and guard shelters.

Biometrics

Physiological or behavioral characteristics for authentication.

Security Coding Techniques

Normalization, stored procedures, obfuscation, camouflage, and code reuse.

Validation Rules

Checking that data fits defined parameters for integrity.

Integrity Checks

Using hash functions and checksums to measure data consistency.

Network Hardening: Port Scanning

Using a port scanner to check for insecure network services.

DNS security

Disable or Restrict Zone Transfers and Dynamic Updates.

Hardening Wireless and Mobile Devices

Use wireless device authentication and mutual authentication to prevent unauthorized access.

High Availability

Design systems to avoid downtime by eliminating failures.

Embedded and Specialized Systems Security

Security measures, firewalls, secure software design practices, basic encryption.

Symmetric Encryption

Use same key to encrypt and decrypt data

Asymmetric Encryption

Use two keys - a public key and a private key to encrypt and decrypt data

Data Masking Techniques

Replacing sensitive information with non-sensitive versions.

Steganography

Hiding information in plain sight.

Elements of Secure Communications

Elements are data integrity, origin authentication, confidentiality, and non-repudiation.

Hashing

One-way functions to verify data integrity.

Digital Signatures

A mathematical technique used to provide authenticity, integrity, and nonrepudiation.

Alert Data

Messages from IPSs/IDSs that signal rule violations or exploit signatures.

Session Data

A record of a conversation between two network endpoints.

Full Packet Captures

Detailed network data requiring significant storage.

Host Logs

HIDS detecting intrusions and storing logs.

Study Notes

Module 3: Attacking the Foundation

• IP (Internet Protocol) operates at Layer 3 as a connectionless protocol, responsible for delivering packets from source to destination.
• IP does not handle packet flow management; TCP at Layer 4 primarily manages this.
• IP Address Spoofing involves threat actors sending packets with modified (spoofed) IP addresses because IP does not validate the source IP address.
• IPv4 headers include a 4-bit version field (set to 0100) and a minimum length of 20 bytes.
• Wireshark is a tool used to analyze IPv4 headers, identifying fields like source IP address, version, header length, DS field, flags, and TTL.
• IPv6 headers also include a 4-bit version field, set to 0110.
• IP vulnerabilities are targeted by various attacks like ICMP, DoS, DDoS, address spoofing, Man-in-the-Middle (MiTM), and session hijacking.
• ICMP (Internet Control Message Protocol) attacks are used for reconnaissance, scanning, DoS, and DDoS; threat actors can inject rogue route entries into routing tables using ICMP router discovery.
• Amplification, reflection, and spoofing techniques are used by threat actors to create DoS attacks.
• Address Spoofing Attacks create packets with false source IP addresses to hide the sender's identity.
• These attacks can be non-blind (session hijacking) or blind (DoS attack).
• MAC (Media Access Control) address spoofing requires access to the internal network.
• UDP (User Datagram Protocol) flood attacks exhaust network resources.
• Attackers use tools like UDP Unicorn to flood a server with UDP packets, often from a spoofed host.
• The server responds with unreachable ICMP port messages, generating traffic that uses up bandwidth.

Module 4: IP Services

• ARP (Address Resolution Protocol) vulnerabilities involve hosts broadcasting ARP Requests to determine the MAC address of a host with a specific IP address.
• Clients can send unsolicited ARP replies, known as "gratuitous ARP."
• ARP poisoning involves threat actors compromising the ARP cache of devices on a local network to conduct MiTM attacks by associating the threat actor's MAC address with the IP address of the default gateway.
• Passive ARP poisoning steals confidential information, while active ARP poisoning modifies data or injects malicious data.
• DNS (Domain Name System) attacks exploit open resolvers that answer queries from clients outside their administrative domain.
• DNS resolver vulnerabilities include amplification and resource utilization attacks.
• DNS amplification attacks involve sending DNS messages to open resolvers using the IP address of a target host; DNS resource utilization attacks (DoS) consume all available resources.
• Domain Generation Algorithms are used in malware to randomly generate domain names as rendezvous points for command and control (C&C) servers.
• DNS Tunneling is stopped by filtering DNS traffic to inspect for longer than average queries or those with suspicious domain names.
• Web attacks redirect victims visiting a compromised web page to a site with malicious code; an exploit kit scans the victim's computer for software vulnerabilities, injects code, and connects to a malware server to download a payload.
• Email threats involve HTML emails bypassing security layers, facilitating attacks like phishing, spam, and malware.
• Security appliances like Cisco Email Security Appliance help detect and block known email threats.
• Web-exposed databases connect web applications to relational databases to access sensitive data.
• Cross-Site Scripting (XSS) occurs when malicious scripts are injected into web pages executed client-side.
• Stored (persistent) XSS is permanently stored on the infected server.
• Reflected (non-persistent) XSS requires a malicious script in a link, and visitors must click the infected link.
• Prevention of XSS attacks involves developers being aware of XSS vulnerabilities and using IPS implementations, web proxies, and services like Cisco Umbrella.
• Network attack mitigation requires vigilance and education, including developing a written security policy, educating employees, controlling physical access, using strong passwords, encrypting data, implementing security hardware and software, performing backups, and keeping software updated.
• Mitigating malware involves using antivirus software and security devices at the network perimeter.
• Mitigating reconnaissance attacks includes implementing authentication, encryption, anti-sniffer tools, a switched infrastructure, and firewalls.
• Mitigating access attacks involves strong password security, the principle of least privilege, cryptography, and applying operating system and application patches.
• Mitigating DoS attacks involves using network software and anti-spoofing technologies like port security, DHCP snooping, IP Source Guard, DAI, and ACLs.

Module 12: System and Network Defense

• Physical security involves using fences and physical barriers, security gates, bollards, vehicle entry barriers, and guard shelters.
• Biometrics uses physiological or behavioral characteristics for authentication, considering factors like accuracy, speed, acceptability, uniqueness, resistance to counterfeiting, reliability, and data storage.
• Surveillance uses RFID asset tags to manage and locate information system assets.
• Application security necessitates a robust process including developing, testing, staging, producing, provisioning, and deprovisioning.
• Security coding techniques include normalization, stored procedures, obfuscation, camouflage, and code reuse.
• Input validation controls data input to maintain database integrity.
• Validation rules check that data falls within defined parameters like size, format, consistency, range, and check digit.
• Integrity checks use hash functions and checksums to measure data consistency.
• Other application security practices include code signing, business continuity planning, and disaster recovery plans, as well as data classification standards and backup procedures for data loss.
• Network hardening involves using a port scanner to detect open ports for insecure network services.
• Secure DHCP by physically securing the DHCP server, patching software, locating the DHCP server behind a firewall, monitoring DHCP activity, and uninstalling unused services and applications.
• Zone transfers and dynamic updates should be disabled or restricted, with enabled logging, DNSSEC, and signed zones.
• Use secure services with authentication, along with system patching and updates to protect routing services.
• Use SSH. rather than Telnet for managing connections because it provides more encryption.
• Use SNMPv3, because it utilizes cryptography and can prevent eavesdropping.
• Implement a Zero Trust model to protect the network's security.
• Wireless and mobile devices require wireless device authentication.
• Mutual authentication prevents unauthorized access.
• Mobile device management secures mobile devices.
• Content and application management should be implemented.
• Implement context-aware authentication and remote wiping.
• High availability design aims to eliminate downtime as much as possible.
• Design principles involve eliminating single points of failure, providing for crossover, and detecting failures.
• N+1 redundancy ensures system availability.
• RAID (Redundant Array of Independent Disks) is used to take data normally stored on a single disk and spreads it out among multiple disks.
• Location redundancy should be used.
• Create resilient designs using methods and configurations that tolerate system or network failures.
• Perform regular data backups and store backups off-site.
• Embedded and specialized systems require security measures.
• Implement firewalls that recognize VoIP to monitor streams and filter abnormal signals.
• Implement secure system software design practices, basic encryption for all controller communication, and firewall implementation in vehicle systems.
• Use honeypots, honeynets, and DNS sinkholes.

Module 18: Cryptography

• Confidentiality is achieved through asymmetric and symmetric encryption.
• Symmetric encryption uses the same pre-shared key to encrypt and decrypt data.
• Asymmetric encryption uses a public key and a private key.
• Data masking replaces sensitive information with non-sensitive versions.
• Steganography hides information in plain sight.
• Elements of secure communications are data integrity, origin authentication, data confidentiality, and non-repudiation.
• Hashing verifies data integrity using one-way functions; MD5 is insecure and should be avoided.
• MD5 produces a 128-bit hashed message.
• SHA-1 creates a 160-bit hashed message and is slightly slower than MD5; it is a legacy algorithm.
• SHA-2 includes SHA-224, SHA-256, SHA-384, and SHA-512.
• SHA-3 is the newest hashing algorithm as a replacement for SHA-2.
• Origin Authentication uses a keyed-hash message authentication code (HMAC) to add integrity assurance.
• Digital forensics uses hashing to verify all digital media that have files.
• Hashing passwords turns any amount of data into a fixed-length digital hash.
• Cracking Hashes involves dictionary and brute-force attacks.
• Implementing salting prevents dictionary attacks and makes it impossible to use lookup tables.
• Public key cryptography uses digital signatures to provide authenticity, integrity, and non-repudiation.
• Digital signatures for digital certificates are equivalent to an electronic passport.
• Authorities and the PKI Trust System uses SSL certificates to confirm website domain identity.
• PKI safeguards digital identities from hacking and facilitates a scalable trust relationship.
• Applications and impacts of cryptography require understanding of cryptographic algorithms for investigating related security incidents.

Module 20: Network Security Data

• Alert data has messages generated by IPSs or IDSs, in response to traffic that goes against the signature of a known exploit.
• Session data is a record of a conversation between two network endpoints.
• Full packet captures are the most detailed network data collected and require the greatest storage.
• Statistical data is created through the analysis of various forms of network data.
• End device logs include host logs from HIDS, which detect and prevent intrusions, creating and storing logs.
• Syslog includes specifications for message formats, a client-server application structure, and network protocol.
• Server logs provide data for network security monitoring.
• DNS Proxy Server logs document all DNS queries and responses.
• SIEM combines SEM and SIM tools for a comprehensive view using log collection, normalization, correlation, aggregation, reporting, and compliance.
• Network logs include Tcpdump, a packet analyzer that displays packet captures.
• NetFlow provides information about network users and applications, peak usage, and traffic routing.
• Cisco Application Visibility and Control uses Cisco NBAR2 to classify applications.
• Content filter logs are the functions devices use to ensure security monitoring.
• Proxy servers generate logs of requests and responses, which can be analyzed to determine which hosts' destinations are safe or potentially malicious, and insights into downloaded resources.
• Next-generation firewalls extend network security beyond IP addresses.

Module 22: Governance and Compliance

• IT Security Governance determines who is authorized to make decisions about cybersecurity risks within an organization.
• A cybersecurity policy is a high-level document outlining an organization's vision for cybersecurity, including goals, needs, scope, and responsibilities.
• Specific security policies include ID and authentication, password, acceptable use, network maintenance, incident handling, data, credential, and organizational policies.
• Ethics in cybersecurity require understanding the law in order to make certain decisions.
• The rights ethics approach is guided by the principle that an individual can make their own decisions.
• There are three categories of cybercrime: computer-targeted, computer-assisted, and computer-incidental.
• IT Security Management Framework follows ISO 27000, a universal framework applicable to every organization.
• Organizations must identify which domains, control objectives, and controls apply to the environment.
• ISO controls address security objectives for data at rest and in transit.
• The CIS created critical security controls to improve the cyber defenses.
• An attestation report (SSAE or SOC) confirms that controls are in place at a specific point in time.