Vulnerabilities in Cybersecurity

Questions and Answers

What is a signature in the context of a Network Intrusion Detection System (NIDS)?

• A type of encryption used in NIDS
• A description of the content of network packets during a specific attack (correct)
• A description of normal network communication patterns
• A type of anomaly-based NIDS

What is a limitation of anomaly-based NIDS?

• They can detect all types of threats
• They assume no malicious activity during training (correct)
• They require frequent database updates
• They are only used in signature-based NIDS

Why may a NIDS be unable to detect certain threats?

• Because the NIDS is not using TLS interception
• Because the NIDS has limited information about network communication (correct)
• Because the NIDS is not updated regularly
• Because the NIDS is only signature-based

What is a disadvantage of TLS interception in NIDS?

It allows administrators to eavesdrop on encrypted communication (D)

What is a characteristic of signature-based NIDS?

They use a database of known attack patterns (C)

Why must an anomaly-based NIDS be retrained?

When new software is introduced on the network (A)

What is a limitation of both signature-based and anomaly-based NIDS?

They are only used in network communication (A)

What is a term used to describe vulnerabilities without a fix?

Zero days (C)

What is a potential problem with anomaly-based NIDS?

They rely on the assumption of no malicious activity during training (B)

What motivated DENIC to restrict access to contact information for '.de' domains?

To prevent attackers from abusing contact information (A)

What is the primary assumption behind firewall rules that filter packets based on port numbers?

Particular services listen on specific ports (B)

What is the main argument of advocates of full disclosure?

To inform users of vulnerabilities to assess their risks (A)

What is the primary function of the Domain Name System (DNS)?

To map IP addresses to domain names (A)

What is the purpose of a tunnel service in the context of bypassing firewalls?

To allow users to access the Internet without restrictions (D)

What is the typical timeframe granted to a vendor to release a fix before going public in responsible disclosure?

90 days (A)

What can be inferred from a hostname such as 'webmail05.example.net'?

The server is a mail server (A)

What is the technique called that some firewalls use to check if packets contain data for a specific service?

Deep Packet Inspection (DPI) (C)

What is the purpose of granting a vendor a timeframe to release a fix before going public?

To give vendors the opportunity to investigate the issue thoroughly (D)

What is the primary goal of Certificate Transparency?

To increase transparency in TLS certificate registration (A)

What is the analogy used to argue against DPI?

Comparing packets to postal mail (B)

What happens if a vendor does not fix a vulnerability in the granted timeframe?

The finder goes public with the vulnerability (A)

What can be accomplished with a port scanner such as nmap?

Enumerating all publicly reachable hosts and services (A)

What is a potential consequence of not setting up strict firewall rules?

The system becomes more vulnerable to unauthorized access (C)

Who decides whether to grant a vendor an extension of the embargo?

The finder (A)

What is the limitation of DPI in preventing users from bypassing a firewall?

It cannot entirely prevent users from bypassing a firewall (B)

What is the primary goal of Passive DNS services?

To increase transparency in domain name lookups (B)

What is the purpose of a firewall in the context of perimeter security?

To allow access to specific services (B)

What is the benefit of responsible disclosure, according to its proponents?

It gives vendors the opportunity to investigate the issue thoroughly (B)

What is the main difference between full disclosure and responsible disclosure?

Responsible disclosure notifies the vendor, while full disclosure does not (A)

What is the primary goal of data exfiltration prevention?

To prevent unauthorized data transfer (D)

What is a common problem that can be exploited by attackers using the systems mentioned in the case study?

Information leakage in domain name systems (A)

What is the nature of the cat-and-mouse game between attackers and defenders in the context of data exfiltration prevention?

A constant evolution of attacks and countermeasures (C)

What is a consequence of TLS interception?

Decreased security of encrypted communications (B)

What metrics are used to evaluate the accuracy of a NIDS?

True positive rate, false negative rate, false positive rate, and true negative rate (C)

Why do even accurate NIDS generate many false positives?

Because malicious traffic is much less frequent than normal traffic (B)

What is the base rate in the example of a hypothetical NIDS?

1 out of every 100,000 packets has a malicious payload (B)

What is the consequence of a NIDS with a 99.9% accuracy rate in the example?

The NIDS will generate more false alarms than true alarms (C)

What is the main issue in practical NIDS regarding false alarms and real alarms?

The imbalance is one of the most pressing issues in practical NIDS (A)

Study Notes

Vulnerability Handling

• An exploit is often developed to take advantage of a vulnerability, and a vendor cannot fix a vulnerability until they are aware of it.
• Unreported vulnerabilities can remain unfixed for a long time and are referred to as 'zero days' or '0-days'.

Full Disclosure vs. Responsible Disclosure

• There are two approaches to publishing vulnerabilities: full disclosure and responsible disclosure.
• Full disclosure involves publicly disclosing the vulnerability without notifying the vendor in advance, which can put pressure on the vendor to release a fix quickly.
• Responsible disclosure, also known as coordinated disclosure, involves informing the vendor first and giving them a specific timeframe to release a fix before going public.

Responsible Disclosure

• The typical timeframe for responsible disclosure is 90 days, but vendors may request an extension.
• The finder of the vulnerability has the discretion to grant an extension or not.
• Responsible disclosure is not without flaws, and it can increase the effort for system administrators to contact domain owners to resolve problems.

Case Study: Reconnaissance

• Whois is not the only system that leaks information, and attackers can use other systems like the Domain Name System to gather information.
• Reverse DNS lookups can be used to look up hostnames given an IP address.
• Certificate Transparency and Passive DNS can leak sensitive information to attackers, including hostnames of internal systems.
• Port scanners can be used to enumerate all publicly reachable hosts and services.

Case Study: Perimeter Security via Firewalls

• Firewalls can be configured to drop all packets that do not match a list of specific port numbers.
• However, this assumption does not hold, as services can be reconfigured to listen on arbitrary ports.
• Firewalls can be bypassed using ports that are commonly allowed in the firewall's configuration.
• Deep Packet Inspection (DPI) can be used to check if packets contain data for a specific service, but it is an open debate whether DPI is an acceptable practice.

Case Study: Network Intrusion Detection Systems

• Signature-based NIDS detect threats by matching network packets to known attack patterns.
• Anomaly-based NIDS detect deviations from normal communication patterns.
• Neither signature-based nor anomaly-based NIDS can detect all threats, as they are limited to network communication.
• Encrypted traffic cannot be analyzed by NIDS, but this limitation can be overcome by using TLS interception.
• TLS interception has been called into question, as it allows administrators to eavesdrop on encrypted communication.

Evaluating NIDS Accuracy

• The accuracy of a NIDS is evaluated using four metrics: true positive rate, false negative rate, false positive rate, and true negative rate.
• Even very accurate NIDS generate many false positives due to the base rate fallacy.
• The imbalance between false alarms and real alarms is a significant issue in practical NIDS.

Description

Learn about vulnerabilities, zero-days, and the approaches to publishing vulnerabilities, including full disclosure and responsible disclosure.