Malware Types and Characteristics

Questions and Answers

PDF Questions PDF Answers

What type of malware attaches itself to a host application and must be executed by the user or system?

Worm

Armored virus

Rootkit

Trojan (correct)

Pharming is a scamming practice where malicious code is installed on a server, redirecting users to fraudulent websites.

True

What type of malware encrypts valuable user files?

Crypto-malware

_______ is a string of code embedded into an application or script that executes in response to a specific event.

Logic bomb

Which protocol encrypts traffic in transit and can be used to encrypt other protocols such as FTP?

SSH

Match the wireless attacks with their descriptions:

Evil Twin = Rogue AP using the same SSID as a legit AP WPS = Allows users to configure a wireless network by pressing buttons or entering a short PIN Bluejacking = Sending unsolicited message to nearby Bluetooth device RFID = Enables one-way wireless communication, typically for asset tracking

S/MIME provides security.

False

What does LDAPS stand for and what is it used for?

LDAP over Secure Socket Layer; used to securely communicate with directories such as AD DS

AES is used to encrypt traffic over ___.

SRTP

Match the following email protocols with their respective ports:

POP3 = Port 995 IMAP4 = Port 993 SMTP = Port 25

What attack occurs when the hashing algorithm creates the same hash from different passwords?

Hash Collision

What type of attack uses a dictionary of words, with variations, as passwords?

Dictionary Attack

_______-Steals the hash, uses the list of passwords to produce that hash to identify the password.

Birthday Attack

Match the threat actor types with their descriptions:

Script Kiddies = Download and run scripts developed by others Hacktivist = Conveys a social or political message through hacking Organized Crime = Monetize hacking efforts Nation States/APT = Elite hackers conducting information warfare Insiders = Employees with access to organizational assets Competitors = Seek to copy, steal, or disrupt information assets

A brute force attack involves guessing all possible character combinations.

True

What is the purpose of a Secure Baseline?

To monitor system compliance with security standards

HVAC systems have a significant impact on the confidentiality of data centers.

False

Define SoC (System on a Chip).

An integrated circuit that includes all the functionality of a computing system within the hardware.

________ is a process of allocating resources based on demand.

Provisioning

Match the following cloud deployment models with their descriptions:

SaaS = Highly scalable, on-demand applications PaaS = Provides fully managed platform for application development IaaS = Provides access to hardware in a self-managed platform

What is the main purpose of IKE Phase 1?

Establish a secure authenticated communication channel.

Aggressive mode in IKE Phase 1 is slower but more secure than Main mode.

False

What does ESP stand for in IPsec protocols?

Encapsulating Security Payload

In IPSec, _____ provides authentication for the data and the IP header of a packet using one-way hash.

AH

Match the IPSec Protocol with its description:

AH = Provides authentication for data and IP header ESP = Provides confidentiality and authentication for data

What does NAC stand for?

Network Access Control

What tool is used to capture, display, and analyze packets sent over a network?

Protocol Analyzer

SSL decryptors use a man-in-the-middle technique to open and re-encrypt SSL/TLS traffic.

True

Mobile device management can restrict what ____________ can be installed and prevent unapproved applications.

application

Match the following connection methods with their descriptions:

Wi-Fi = Connect with SSID and Pre-Shared key NFC = Radio communication over short proximity for payment gateway Bluetooth = Supports Classic, high speed, and Low energy modes USB = Physically connect devices

Which RAID level is block-striped with error check and provides high availability?

RAID 5

What is the primary purpose of a Faraday Cage in a data center?

Prevents illicit monitoring of computer systems through electromagnetic emissions

Match the following access control model with its description:

MAC = Uses security labels to determine access DAC = Specifies that every object has an owner with full control ABAC = Uses attributes in policies to grant access Role-based access control = Assigns access to roles instead of users

NTLM is a legacy protocol that has been replaced by Kerberos.

True

______ is an improvement over RADIUS and uses EAP for better security.

DIAMETER

Which authentication method uses a combination of a secret key and an incrementing counter for generating one-time passwords?

HOTP

What is the purpose of capturing video in a forensic investigation?

Record time offset- difference between the system clock and the actual time

Which backup type backs up all selected data?

Full

Data sovereignty implies that data originating within a country must be stored outside that country.

False

______ is a process for moving from a normal operational capability to the continuity-of-operations version of the business.

Failover

Match the location selection with the appropriate description:

Off-site backups = Copy of backup in a separate geographic location Distance = Some backups need to be close for easy retrieval, while others need to be far away for protection from geographical disasters

What does TOTP stand for and how does it differ from HOTP?

TOTP stands for Time based OTP. It uses a timestamp instead of a counter and typically expires after 30 seconds. HOTP stands for HMAC-based One-Time Password and generates an OTP value of 6-8 digits.

Which type of accounts should not be used to ensure IAAA (Identification, Authentication, Authorization, and Accountability) can be implemented?

Shared and generic accounts/credentials

Standard Operating Procedures (SOPs) are step-by-step instructions that employees can use to perform uncommon tasks.

False

_______ identifies potential risks related to Personally Identifiable Information (PII) to ensure compliance with laws and regulations.

Privacy impact assessment

Match the following Risk Management concepts with their definitions:

RTO = Recovery Time Objective RPO = Recovery Point Objective MTBF = Mean Time Between Failures MTTR = Mean Time to Restore/Repair

What is an Armored virus designed to do?

Make it difficult to reverse engineer

Social Engineering may involve tactics like Whaling and Vishing.

True

What is the primary purpose of a Keylogger?

Keep track of every single keystroke

What type of software learns users' habits for targeted advertising? ______________

Adware

Match the wireless attack type with its description:

Replay = Capture and modify data to impersonate parties Evil Twin = Rogue access point using the same SSID as a legit AP RFID = One way wireless communication for asset tracking Disassociation = Disassociate wireless client from the network

What is NAC used for?

Host health checks

What does SSL decryptors do?

Opens SSL/TLS traffic using man-in-the-middle technique, screens the traffic, and re-encrypts it.

Containerization isolates and protects applications and their data.

True

______ is a protocol analyzer that captures, displays, and analyzes network packets.

Wireshark

Match the mobile device connection methods with their descriptions:

Wi-Fi = Connect to SSID with Pre-Shared key Bluetooth = Supports Classic, high speed, and Low energy modes NFC = Radio communication over a short proximity, commonly used for payments USB = Used to physically connect devices

Which type of attack occurs when the hashing algorithm creates the same hash from different passwords?

Collision attack

What are Rainbow tables used for?

To find passwords from password hashes

Hackers use _______ attack to guess all possible character combinations.

brute force

In a collision attack, the attacker steals the hash and uses a list of passwords to find the matching one.

True

Match the following network security tools with their functions:

Nmap & Zenmap = Port Scanner Wireshark = Traffic Analyzer Nessus = Vulnerability Scanner Tripwire = File integrity checker

What is the purpose of a VPN concentrator?

To secure communication channels

Which protocols are used for protecting user data in IPsec?

Both AH and ESP

What is the purpose of IKE Phase 1 in IPsec?

To establish a secure channel for negotiating IPsec SAs

Aggressive mode in IKE Phase 1 is more secure than Main mode.

False

What is the purpose of a Split tunnel in VPNs?

Avoid encryption bottlenecks

______ provides authentication for the data and the IP header of a packet in IPsec using a one-way hash.

AH

What does LDAPS stand for and what port is it commonly used on?

Lightweight Directory Access Protocol Secure; port 636

Which protocol uses port 22 for file transfer and encryption?

SFTP

TLS has replaced SSL for securing traffic on the internet.

True

Secure POP3 commonly uses port 995, whereas IMAP4 with SSL uses port ____.

993

Match the protocol with its primary usage:

SSH = Encrypt data-in-transit FTPS = Secure file transfer TLS = Replace SSL for encryption VLANs = Provide increased network segmentation

What is the purpose of a parity drive in RAID 5?

Block-striping with error checking

Explain the purpose of a Faraday Cage in physical security.

Faraday Cage prevents illicit monitoring of computer systems through electromagnetic fields.

Key cards are more secure than metallic keys because they can be remotely revoked. True or False?

True

LDAP stands for Lightweight Directory ________ Protocol.

Access

Match the biometric factor with its corresponding description:

Fingerprint Scanner = Identification and authentication using fingerprints Retinal Scanner = Identification based on blood vessel patterns in the eye Iris Scanner = Authentication based on iris patterns Facial Recognition = Identification using facial features

What does a Secure baseline document specify?

Minimum specifications for a secure application, system, or service

Integrity measurement involves monitoring whether an application, system, or service complies with the security baseline.

True

SCADA/ICS stands for Industrial Control System and is controlled by a Supervisory Control and ________.

Data

What is the core engine of Smart devices/IoT often based on?

Linux-type kernel

Match the development life-cycle model with its description:

Waterfall = Finish one stage before moving to the next, cannot go back Agile = Uses iterative cycles, each creating a working product Extreme Programming (XP) = Advocates frequent releases in short cycles Scrum = Framework centered on a 30-day cycle process, focused on perspective

What is the abbreviation for 'Time based OTP'?

TOTP

Which system is used by the Department of Defense (DOD) for military personnel and contractors?

CAC

Two-phase commit ensures that if a portion of a transaction cannot complete, the entire transaction is still performed.

False

______ is a technical control where users or processes are granted only those rights and permissions needed to perform their assigned tasks or functions.

Least privilege

Match the following concepts with their descriptions:

RTO = How long it takes to restore a system after an outage MTTF = Expected lifetime of a non-repairable system SLE = Product of Exposure Factor and Asset Value Chain of custody = Assures that the evidence has been controlled and handled properly after collection

What is the purpose of taking hashes in digital forensics?

provides integrity of the captured images

What is the main purpose of witness interviews in digital forensics?

first hand report

What does DRP (disaster recovery plan) include?

Information on disaster recovery strategy

______ captures the data at a point in time and is a fast way to restore the system.

Snapshot

Failover involves moving from normal operations to the business continuity version of the organization.

True

What is the primary objective of fault tolerance in a system or service?

To provide high availability

What is the main purpose of a RAID 1 configuration?

To provide redundancy and high availability

What is the primary function of a mantrap in a data center?

To control access to the data center

What is the purpose of a Faraday Cage in a data center?

To block electromagnetic interference

What is the primary benefit of using a redundant system design?

To achieve high availability

What is the primary purpose of using signs in a physical security context?

To provide visual cues

What is the primary benefit of using a distributed allocation system?

To enhance system scalability

What is the primary purpose of a lock in a physical security context?

To control access to restricted areas

What is the primary function of an air gap in a physical security context?

To isolate a system from the network

What is the primary benefit of using RAID 5 configuration?

To achieve high availability and redundancy

Study Notes

Threats, Attacks, and Vulnerabilities

Malware

• Viruses: attach themselves to a host application
  • Types:
    • Sparse infector virus: behaves sporadically and unpredictably
    • Multipartite virus: can infect both program files and the boot sector
    • Stealth virus: uses multiple techniques to evade detection
• Worms: self-replicating malware that travels through a network without host application or user interaction
• Armored virus: makes it difficult to reverse-engineer
• Crypto-malware: encrypts valuable user files (e.g., ransomware)
• Trojans: appear to be useful but contain a malicious component
• Rootkits: have root-level or kernel-level access, can modify system files and system access
• Keyloggers: keep track of every keystroke
• Adware: learns user habits for targeted advertising (e.g., pop-ups)
• Spyware: monitors user computer activity and sends information to a third party
• Bots: multiple computers acting as software robots, functioning together in a network for malicious purposes (e.g., sending spam, launching DDoS)
• Logic bombs: strings of code embedded into an application or script, execute in response to an event or specific time
• Backdoors: provide another way of accessing a system, often created by malware

Social Engineering

• Pharming: misdirecting users to fraudulent websites without their knowledge or consent
• Phishing: emailing users to trick them into revealing personal information or clicking a malicious link
• Spimming: phishing using instant messages (e.g., Facebook Messenger)
• Spear phishing: targeted form of phishing, sending emails to specific users or groups
• Whaling: targeting high-level executives with phishing attacks
• Vishing: phishing using phone calls
• Tailgating: following an employee through a door without showing credentials
• Impersonation: identity theft
• Dumpster diving: searching through trash to gain information from discarded documents
• Shoulder surfing: looking over someone's shoulder to obtain sensitive information
• Hoax: false message, often an email claiming a virus exists and encouraging deletion of files or changing system configuration
• Watering hole attack: infecting a website frequently visited by the target group with malware

Types of Attacks

• DoS (Denial of Service): disrupting services provided by another system
• DDoS (Distributed Denial of Service): attack from multiple computers to a single target
• Man-in-the-Middle (MitM): intercepting and modifying communications between two parties
• Buffer overflow: exploiting an application that receives more data than it can handle
• Injection: inserting malicious code or input to alter system behavior
• Cross-site Scripting (XSS): injecting malicious scripts into a website
• Cross-Site Request Forgery (CSRF): tricking users into performing unintended actions on a web application
• Privilege Escalation: exploiting a programming flaw or buffer overflow to gain admin-level or root-level access
• ARP Poisoning: modifying the ARP cache to redirect traffic
• DNS Poisoning: modifying DNS records to redirect users to malicious websites
• Domain Hijacking: taking control of a domain name without authorization
• Man-in-the-Browser: intercepting and modifying communications between a browser and a website
• Zero-day Exploit: exploiting an undocumented or unknown vulnerability
• Replay Attack: capturing and re-transmitting data to impersonate one party in a session
• Pass-the-Hash: capturing password hashes and using them to authenticate

Threat Actor Types and Attributes

• Script Kiddies: novice hackers using existing tools and scripts
• Hacktivists: using hacking to convey a social or political message
• Organized Crime: monetizing hacking efforts
• Nation States/APT (Advanced Persistent Threat): elite hackers conducting information warfare
• Insiders: employees or contractors with authorized access to an organization
• Competitors: using hacking to gain an advantage
• Attributes:
  • Internal/External
  • Level of sophistication
  • Resources/Funding
  • Intent/Motivation
  • Use of Open-Source Intelligence (OSINT)### Network Security Threats
• Improper input validation can lead to memory overflow, pointer dereference, and unexpected results.
• DLL injection can add malicious functionality to a system.
• System sprawl and undocumented assets can allow attackers to traverse the network more easily.
• New threats and zero-day attacks can exploit unknown vulnerabilities.
• Improper certificate and key management can lead to data insecurity.

Firewalls

• A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
• A dual-homed firewall is a firewall with two network interfaces.
• ACLs (Access Control Lists) identify what traffic is allowed and what is blocked based on networks, subnets, IP addresses, ports, and some protocols.
• Packet filtering firewalls are based on ACLs and only examine the packet header.
• Application-based firewalls are installed on a host and can analyze traffic on a deeper level.
• Stateful firewalls inspect traffic and make decisions based on the context or state of the traffic.
• Stateless firewalls use ACLs to make decisions.

VPNs

• A VPN (Virtual Private Network) provides a means of cryptographically securing a communication channel.
• A VPN concentrator is the endpoint for VPN activity.
• Remote access VPNs allow a remote host to connect to a network.
• Site-to-site VPNs connect two networks from remote sites.
• TLS (Transport Layer Security) provides Layer 6 encryption services for Layer 7 applications.
• SSL Portal VPNs are used to securely access the web from a browser.
• SSL Tunnel VPNs allow secure access to applications and other network services.

IPSec

• IPSec (Internet Protocol Security) is an encryption protocol that defines the rules for encryption, authentication, and key management for TCP/IP transmissions.
• IKE (Internet Key Exchange) is a hybrid protocol that negotiates, establishes, modifies, and deletes security associations.
• IKE uses IKE phase 1 to establish a secure authenticated communication channel and IKE phase 2 to negotiate IPsec security associations.
• IPSec protocols include AH (Authentication Header) and ESP (Encapsulating Security Payload).

VPN Modes

• Split tunneling routes only some traffic through the VPN.
• Full tunneling encrypts all traffic, including internet traffic.
• Always-on VPNs self-configure and connect once an internet connection is sensed.

NIPS/NIDS

• NIPS (Network-based Intrusion Prevention System) and NIDS (Network-based Intrusion Detection System) analyze traffic in the network.
• NIPS can stop traffic if it detects a signature match or anomaly.
• NIDS can alert the admin of suspicious connections or potential threats.
• Anomaly-based detection can detect a wide range of zero-day attacks.

Router Security

• ACLs can be used to identify what traffic is allowed and what is blocked.
• Anti-spoofing can be used to prevent spoofing attacks.
• NAT (Network Address Translation) can be used to hide internal IP addresses.
• Port security can be used to disable unused ports and limit the number of MAC addresses per port.

Switch Security

• Port security can be used to disable unused ports and limit the number of MAC addresses per port.
• Loop prevention can be used to prevent switching loops.
• Flood guard can be used to detect and block traffic to prevent flooding attacks.

Proxy Servers

• A proxy server acts as an Internet gateway, firewall, and Internet caching server for a private network.
• Forward proxy forwards requests for services from clients.
• Reverse proxy receives requests on behalf of clients.
• Transparent proxy accepts and forwards requests without modifying them.
• Load balancers can be used to distribute traffic across multiple servers.

Access Points

• SSID (Service Set Identifier) identifies the name of a wireless network.
• MAC filtering can be used to block unauthorized devices.
• Signal strength can be used to determine the distance and quality of a wireless connection.
• Antenna types and placement can affect the quality of a wireless connection.

SIEM

• SIEM (Security Information and Event Management) classifies and analyzes security data from numerous sources.
• Time synchronization can be used to correlate events across the entire enterprise.
• Aggregation can be used to collect information in a central place.
• Correlation can be used to connect events based on time, common events, and behavior.
• Automated alerting and triggers can be used to issue alerts or react to events.

DLP

• DLP (Data Loss Prevention) detects and blocks data loss.
• USB blocking can be used to prevent data loss.
• Cloud-based DLP detects and blocks data moved to the cloud.
• Email DLP detects and blocks data loss via email.

NAC

• NAC (Network Access Control) uses agents to inspect clients for health.
• Agent code can be stored in the host machine or deployed to memory.
• Permanent agents are pre-deployed to the endpoints.
• Dissolvable agents are deployed when needed and removed after use.
• Host health checks can be used to restrict access to unhealthy clients.

Other Security Tools

• Protocol analyzers capture, display, and analyze packets sent over a network.
• Network scanners search for live hosts, open ports, and TCP/UDP services.
• Rogue system detection helps detect unknown devices on a network.
• Vulnerability scanners recognize weaknesses like open ports, weak passwords, and default accounts and passwords.
• Configuration compliance scanners establish a baseline configuration and set to measure deviations.
• Exploitation frameworks assist with the tasks associated with exploiting vulnerabilities.
• Data sanitization tools destroy or purge a system before retiring and disposing of it.
• Steganography tools hide messages in images, videos, or audio files.
• Honeypots divert attackers from live networks.
• Backup utilities back up critical data.### Network Security Fundamentals
• ARP (Address Resolution Protocol) is used to identify MAC addresses from IP addresses.
• ipconfig/ip/ifconfig shows TCP/IP configuration, including IP address, subnet mask, default gateway, MAC address, and DNS server.
• tcpdump is a command-line packet analyzer for Linux, similar to Wireshark.
• nmap is a network scanner that identifies active hosts, addresses, protocols, and services running on each host, as well as the OS of the host.

Troubleshooting Common Security Issues

• Unencrypted credentials/clear text: avoid using obsolete protocols that transfer passwords in clear text.
• Log and event anomalies: record event anomalies and decide what to log and what not to log.
• Permission issues: outdated user rights lists can create permission issues.
• Access violations: should be logged and alerted.
• Certificate issues: occur when a user attempts to use a certificate that lacks a complete chain of trust back to a trusted root.
• Data exfiltration: attacker attempts to steal data.

Analyze and Interpret Output from Security Technologies

• HIDS/HIPS: alert on behaviors based on signatures.
• Antivirus: alerts, prevents, and logs malicious attack attempts.
• File Integrity check: compares the original hash and calculated hash.
• Host-based firewall: firewall in the host machine.
• Application whitelisting: only allows special applications to be installed.
• Removable media control: prevents data exfiltration using encryption technology.
• Advanced malware tools: specialized malware removal and recovery tools.
• Patch management tools: help patch OS and applications.
• UTM: all-in-one security, acting as a firewall, IDS/IPS, anti-malware, anti-spam, and content filtering.
• DLP: detects and prevents data transfer.
• Data execution prevention: OS works with the CPU to prevent programs from executing in certain parts of memory.

Deploy Mobile Devices Securely

• Connection methods: cellular, Wi-Fi, SATCOM, Bluetooth, NFC, Infrared, and USB.
• Mobile device management concepts: application management, content management, remote wipe, geofencing, geolocation, screen locks, push notification services, passwords and pins, biometrics, context-aware authentication, containerization, storage segmentation, and full device encryption.

Implement Secure Protocols

• Protocols: DNSSEC, SSH, S/MIME, SRTP, LDAPS, SFTP, FTPS, SNMPv3, SSL, TLS, and HTTPS.
• DNSSEC: prevents DNS cache poisoning by providing validation for DNS responses.
• SSH: encrypts traffic in transit and can be used to encrypt other protocols.
• S/MIME: provides encryption and authentication for email.

Architecture and Design

• Frameworks: industry-standard frameworks, regulatory frameworks, national frameworks, and industry-specific frameworks.
• Secure configuration guides: CIS, OWASP, and vendor-specific guides.
• Defense-in-depth/Layered security: implementing multiple layers of protection.
• Vendor diversity: implementing security controls from different vendors.
• Control diversity: using different security control types.

Implement Secure Network Architecture Concepts

• Zones/topologies: DMZ, extranet, intranet, wireless, guest, and honeynets.
• Segregation/segmentation/isolation: physical, logical (VLAN), virtualization, and air gaps.
• Tunneling/VPN: site-to-site, remote access, and IPSec.
• Security device/technology placement: sensors, collectors, correlation engines, filters, proxies, firewalls, VPN concentrators, SSL accelerators, load balancers, and DDoS mitigators.
• SDN: uses virtualization technologies to route traffic instead of using hardware routers and switches.

Threats, Attacks, and Vulnerabilities

Malware

• Viruses: attach themselves to a host application
  • Types:
    • Sparse infector virus: behaves sporadically and unpredictably
    • Multipartite virus: can infect both program files and the boot sector
    • Stealth virus: uses multiple techniques to evade detection
• Worms: self-replicating malware that travels through a network without host application or user interaction
• Armored virus: makes it difficult to reverse-engineer
• Crypto-malware: encrypts valuable user files (e.g., ransomware)
• Trojans: appear to be useful but contain a malicious component
• Rootkits: have root-level or kernel-level access, can modify system files and system access
• Keyloggers: keep track of every keystroke
• Adware: learns user habits for targeted advertising (e.g., pop-ups)
• Spyware: monitors user computer activity and sends information to a third party
• Bots: multiple computers acting as software robots, functioning together in a network for malicious purposes (e.g., sending spam, launching DDoS)
• Logic bombs: strings of code embedded into an application or script, execute in response to an event or specific time
• Backdoors: provide another way of accessing a system, often created by malware

Social Engineering

• Pharming: misdirecting users to fraudulent websites without their knowledge or consent
• Phishing: emailing users to trick them into revealing personal information or clicking a malicious link
• Spimming: phishing using instant messages (e.g., Facebook Messenger)
• Spear phishing: targeted form of phishing, sending emails to specific users or groups
• Whaling: targeting high-level executives with phishing attacks
• Vishing: phishing using phone calls
• Tailgating: following an employee through a door without showing credentials
• Impersonation: identity theft
• Dumpster diving: searching through trash to gain information from discarded documents
• Shoulder surfing: looking over someone's shoulder to obtain sensitive information
• Hoax: false message, often an email claiming a virus exists and encouraging deletion of files or changing system configuration
• Watering hole attack: infecting a website frequently visited by the target group with malware

Types of Attacks

• DoS (Denial of Service): disrupting services provided by another system
• DDoS (Distributed Denial of Service): attack from multiple computers to a single target
• Man-in-the-Middle (MitM): intercepting and modifying communications between two parties
• Buffer overflow: exploiting an application that receives more data than it can handle
• Injection: inserting malicious code or input to alter system behavior
• Cross-site Scripting (XSS): injecting malicious scripts into a website
• Cross-Site Request Forgery (CSRF): tricking users into performing unintended actions on a web application
• Privilege Escalation: exploiting a programming flaw or buffer overflow to gain admin-level or root-level access
• ARP Poisoning: modifying the ARP cache to redirect traffic
• DNS Poisoning: modifying DNS records to redirect users to malicious websites
• Domain Hijacking: taking control of a domain name without authorization
• Man-in-the-Browser: intercepting and modifying communications between a browser and a website
• Zero-day Exploit: exploiting an undocumented or unknown vulnerability
• Replay Attack: capturing and re-transmitting data to impersonate one party in a session
• Pass-the-Hash: capturing password hashes and using them to authenticate

Threat Actor Types and Attributes

• Script Kiddies: novice hackers using existing tools and scripts
• Hacktivists: using hacking to convey a social or political message
• Organized Crime: monetizing hacking efforts
• Nation States/APT (Advanced Persistent Threat): elite hackers conducting information warfare
• Insiders: employees or contractors with authorized access to an organization
• Competitors: using hacking to gain an advantage
• Attributes:
  • Internal/External
  • Level of sophistication
  • Resources/Funding
  • Intent/Motivation
  • Use of Open-Source Intelligence (OSINT)### Network Security Threats
• Improper input validation can lead to memory overflow, pointer dereference, and unexpected results.
• DLL injection can add malicious functionality to a system.
• System sprawl and undocumented assets can allow attackers to traverse the network more easily.
• New threats and zero-day attacks can exploit unknown vulnerabilities.
• Improper certificate and key management can lead to data insecurity.

Firewalls

• A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
• A dual-homed firewall is a firewall with two network interfaces.
• ACLs (Access Control Lists) identify what traffic is allowed and what is blocked based on networks, subnets, IP addresses, ports, and some protocols.
• Packet filtering firewalls are based on ACLs and only examine the packet header.
• Application-based firewalls are installed on a host and can analyze traffic on a deeper level.
• Stateful firewalls inspect traffic and make decisions based on the context or state of the traffic.
• Stateless firewalls use ACLs to make decisions.

VPNs

• A VPN (Virtual Private Network) provides a means of cryptographically securing a communication channel.
• A VPN concentrator is the endpoint for VPN activity.
• Remote access VPNs allow a remote host to connect to a network.
• Site-to-site VPNs connect two networks from remote sites.
• TLS (Transport Layer Security) provides Layer 6 encryption services for Layer 7 applications.
• SSL Portal VPNs are used to securely access the web from a browser.
• SSL Tunnel VPNs allow secure access to applications and other network services.

IPSec

• IPSec (Internet Protocol Security) is an encryption protocol that defines the rules for encryption, authentication, and key management for TCP/IP transmissions.
• IKE (Internet Key Exchange) is a hybrid protocol that negotiates, establishes, modifies, and deletes security associations.
• IKE uses IKE phase 1 to establish a secure authenticated communication channel and IKE phase 2 to negotiate IPsec security associations.
• IPSec protocols include AH (Authentication Header) and ESP (Encapsulating Security Payload).

VPN Modes

• Split tunneling routes only some traffic through the VPN.
• Full tunneling encrypts all traffic, including internet traffic.
• Always-on VPNs self-configure and connect once an internet connection is sensed.

NIPS/NIDS

• NIPS (Network-based Intrusion Prevention System) and NIDS (Network-based Intrusion Detection System) analyze traffic in the network.
• NIPS can stop traffic if it detects a signature match or anomaly.
• NIDS can alert the admin of suspicious connections or potential threats.
• Anomaly-based detection can detect a wide range of zero-day attacks.

Router Security

• ACLs can be used to identify what traffic is allowed and what is blocked.
• Anti-spoofing can be used to prevent spoofing attacks.
• NAT (Network Address Translation) can be used to hide internal IP addresses.
• Port security can be used to disable unused ports and limit the number of MAC addresses per port.

Switch Security

• Port security can be used to disable unused ports and limit the number of MAC addresses per port.
• Loop prevention can be used to prevent switching loops.
• Flood guard can be used to detect and block traffic to prevent flooding attacks.

Proxy Servers

• A proxy server acts as an Internet gateway, firewall, and Internet caching server for a private network.
• Forward proxy forwards requests for services from clients.
• Reverse proxy receives requests on behalf of clients.
• Transparent proxy accepts and forwards requests without modifying them.
• Load balancers can be used to distribute traffic across multiple servers.

Access Points

• SSID (Service Set Identifier) identifies the name of a wireless network.
• MAC filtering can be used to block unauthorized devices.
• Signal strength can be used to determine the distance and quality of a wireless connection.
• Antenna types and placement can affect the quality of a wireless connection.

SIEM

• SIEM (Security Information and Event Management) classifies and analyzes security data from numerous sources.
• Time synchronization can be used to correlate events across the entire enterprise.
• Aggregation can be used to collect information in a central place.
• Correlation can be used to connect events based on time, common events, and behavior.
• Automated alerting and triggers can be used to issue alerts or react to events.

DLP

• DLP (Data Loss Prevention) detects and blocks data loss.
• USB blocking can be used to prevent data loss.
• Cloud-based DLP detects and blocks data moved to the cloud.
• Email DLP detects and blocks data loss via email.

NAC

• NAC (Network Access Control) uses agents to inspect clients for health.
• Agent code can be stored in the host machine or deployed to memory.
• Permanent agents are pre-deployed to the endpoints.
• Dissolvable agents are deployed when needed and removed after use.
• Host health checks can be used to restrict access to unhealthy clients.

Other Security Tools

• Protocol analyzers capture, display, and analyze packets sent over a network.
• Network scanners search for live hosts, open ports, and TCP/UDP services.
• Rogue system detection helps detect unknown devices on a network.
• Vulnerability scanners recognize weaknesses like open ports, weak passwords, and default accounts and passwords.
• Configuration compliance scanners establish a baseline configuration and set to measure deviations.
• Exploitation frameworks assist with the tasks associated with exploiting vulnerabilities.
• Data sanitization tools destroy or purge a system before retiring and disposing of it.
• Steganography tools hide messages in images, videos, or audio files.
• Honeypots divert attackers from live networks.
• Backup utilities back up critical data.### Network Security Fundamentals
• ARP (Address Resolution Protocol) is used to identify MAC addresses from IP addresses.
• ipconfig/ip/ifconfig shows TCP/IP configuration, including IP address, subnet mask, default gateway, MAC address, and DNS server.
• tcpdump is a command-line packet analyzer for Linux, similar to Wireshark.
• nmap is a network scanner that identifies active hosts, addresses, protocols, and services running on each host, as well as the OS of the host.

Troubleshooting Common Security Issues

• Unencrypted credentials/clear text: avoid using obsolete protocols that transfer passwords in clear text.
• Log and event anomalies: record event anomalies and decide what to log and what not to log.
• Permission issues: outdated user rights lists can create permission issues.
• Access violations: should be logged and alerted.
• Certificate issues: occur when a user attempts to use a certificate that lacks a complete chain of trust back to a trusted root.
• Data exfiltration: attacker attempts to steal data.

Analyze and Interpret Output from Security Technologies

• HIDS/HIPS: alert on behaviors based on signatures.
• Antivirus: alerts, prevents, and logs malicious attack attempts.
• File Integrity check: compares the original hash and calculated hash.
• Host-based firewall: firewall in the host machine.
• Application whitelisting: only allows special applications to be installed.
• Removable media control: prevents data exfiltration using encryption technology.
• Advanced malware tools: specialized malware removal and recovery tools.
• Patch management tools: help patch OS and applications.
• UTM: all-in-one security, acting as a firewall, IDS/IPS, anti-malware, anti-spam, and content filtering.
• DLP: detects and prevents data transfer.
• Data execution prevention: OS works with the CPU to prevent programs from executing in certain parts of memory.

Deploy Mobile Devices Securely

• Connection methods: cellular, Wi-Fi, SATCOM, Bluetooth, NFC, Infrared, and USB.
• Mobile device management concepts: application management, content management, remote wipe, geofencing, geolocation, screen locks, push notification services, passwords and pins, biometrics, context-aware authentication, containerization, storage segmentation, and full device encryption.

Implement Secure Protocols

• Protocols: DNSSEC, SSH, S/MIME, SRTP, LDAPS, SFTP, FTPS, SNMPv3, SSL, TLS, and HTTPS.
• DNSSEC: prevents DNS cache poisoning by providing validation for DNS responses.
• SSH: encrypts traffic in transit and can be used to encrypt other protocols.
• S/MIME: provides encryption and authentication for email.

Architecture and Design

• Frameworks: industry-standard frameworks, regulatory frameworks, national frameworks, and industry-specific frameworks.
• Secure configuration guides: CIS, OWASP, and vendor-specific guides.
• Defense-in-depth/Layered security: implementing multiple layers of protection.
• Vendor diversity: implementing security controls from different vendors.
• Control diversity: using different security control types.

Implement Secure Network Architecture Concepts

• Zones/topologies: DMZ, extranet, intranet, wireless, guest, and honeynets.
• Segregation/segmentation/isolation: physical, logical (VLAN), virtualization, and air gaps.
• Tunneling/VPN: site-to-site, remote access, and IPSec.
• Security device/technology placement: sensors, collectors, correlation engines, filters, proxies, firewalls, VPN concentrators, SSL accelerators, load balancers, and DDoS mitigators.
• SDN: uses virtualization technologies to route traffic instead of using hardware routers and switches.

Social Engineering Principles

• Authority: Respect for authority figures is used to manipulate individuals
• Intimidation: Bullying tactics are used to create fear and compliance
• Scarcity: Limited-time offers or exclusive deals create a sense of urgency
• Consensus: Fake reviews or testimonials are used to build trust
• Familiarity: People are more likely to trust someone they like or have a connection with
• Shoulder surfing and tailgating: Using social engineering to gain physical access to restricted areas
• Trust: Building trust to gain access or manipulate individuals
• Urgency: Creating a sense of urgency to prompt action

Application/Service Attacks

• DoS: Attack from a single source to disrupt services
• DDoS: Attack from multiple computers to a single target
• Man-in-the-Middle: Using a separate computer to intercept, read, and modify traffic
• Buffer overflow: Overflowing a buffer with malicious data to crash or compromise systems
• Use of patches and input validation to prevent buffer overflow attacks

Vulnerability Identification

• Identifying weaknesses: Open ports, weak passwords, default accounts, and security/configuration errors
• Identifying lack of security controls: Missing security controls, outdated patches, and lack of antivirus software
• Identifying common misconfigurations: Incorrectly configured ports, weak protocols, and incorrect configuration of networking devices
• Intrusive vs. non-intrusive testing: Scanning for vulnerabilities vs. simulating attacks to identify vulnerabilities
• Credentialed vs. non-credentialed testing: Scanning with admin privileges vs. gaining admin access using escalation techniques

Impact of Vulnerabilities

• Race conditions: When two or more applications attempt to access a resource at the same time
• Vulnerabilities due to End-of-life systems, embedded systems, and lack of vendor support
• Use of third-party source code escrow to gain access to source code when vendors go out of business

Network Access Control (NAC)

• Agent vs. agentless: Agent code stored on the host machine vs. code residing on the network
• Permanent vs. dissolvable agents: Pre-deployed agents vs. deployed when needed and removed after use
• Host health checks: Inspecting clients for health, including up-to-date antivirus software and restricting access to unhealthy clients

Mail Gateway Security

• Spam filter: Blocking spam using solutions like Appriver and Mimecast
• DLP: Implementing Data Loss Prevention policy to prevent data leaks
• Encryption: Encrypting mail traffic using solutions like PGP and S/MIME

Network Segregation and Encryption

• Bridge: Network segregating device operating in layer 2
• SSL/TLS accelerators: Using transparent devices to encrypt traffic instead of larger web servers
• SSL decryptors: Opening SSL/TLS traffic using man-in-the-middle technique and re-encrypting it

Hardware Security Modules

• Managing and storing encryption keys

Deploying Mobile Devices Securely

• Connection methods: Cellular, Wi-Fi, SATCOM, Bluetooth, NFC, ANT, and Infrared
• Mobile device management concepts: Application management, content management, remote wipe, and distributive allocation
• Redundancy and fault tolerance: Designing systems to remain operational with minimal downtime

Physical Security Controls

• Lighting: Allowing observation of people and activities
• Signs: Visual cues to keep people away from restricted areas
• Fencing/gate/cage: Building a perimeter to restrict access
• Security guards: Monitoring and controlling access to restricted areas
• Alarms: Providing accurate and useful alerts
• Safe and secure cabinets/enclosures: Physically securing equipment and data
• Protected distribution/protected cabling: Securing cables to prevent tapping and DoS
• Air gap: Isolating an entity to separate it from everything else
• Mantrap: Preventing tailgating and controlling access to data centers
• Faraday Cage: Preventing illicit monitoring of computer systems through Van Eck emissions
• Lock types: Using smart locks and cipher locks that can be programmable

Description

Learn about the different types of malware, including viruses, worms, and armored viruses. Understand their characteristics and behaviors.