Vulnerabilities in Cybersecurity

38 Questions

What is a signature in the context of a Network Intrusion Detection System (NIDS)?

A description of the content of network packets during a specific attack

What is a limitation of anomaly-based NIDS?

They assume no malicious activity during training

Why may a NIDS be unable to detect certain threats?

Because the NIDS has limited information about network communication

What is a disadvantage of TLS interception in NIDS?

It allows administrators to eavesdrop on encrypted communication

What is a characteristic of signature-based NIDS?

They use a database of known attack patterns

Why must an anomaly-based NIDS be retrained?

When new software is introduced on the network

What is a limitation of both signature-based and anomaly-based NIDS?

They are only used in network communication

What is a term used to describe vulnerabilities without a fix?

Zero days

What is a potential problem with anomaly-based NIDS?

They rely on the assumption of no malicious activity during training

What motivated DENIC to restrict access to contact information for '.de' domains?

To prevent attackers from abusing contact information

What is the primary assumption behind firewall rules that filter packets based on port numbers?

Particular services listen on specific ports

What is the main argument of advocates of full disclosure?

To inform users of vulnerabilities to assess their risks

What is the primary function of the Domain Name System (DNS)?

To map IP addresses to domain names

What is the purpose of a tunnel service in the context of bypassing firewalls?

To allow users to access the Internet without restrictions

What is the typical timeframe granted to a vendor to release a fix before going public in responsible disclosure?

90 days

What can be inferred from a hostname such as 'webmail05.example.net'?

The server is a mail server

What is the technique called that some firewalls use to check if packets contain data for a specific service?

Deep Packet Inspection (DPI)

What is the purpose of granting a vendor a timeframe to release a fix before going public?

To give vendors the opportunity to investigate the issue thoroughly

What is the primary goal of Certificate Transparency?

To increase transparency in TLS certificate registration

What is the analogy used to argue against DPI?

Comparing packets to postal mail

What happens if a vendor does not fix a vulnerability in the granted timeframe?

The finder goes public with the vulnerability

What can be accomplished with a port scanner such as nmap?

Enumerating all publicly reachable hosts and services

What is a potential consequence of not setting up strict firewall rules?

The system becomes more vulnerable to unauthorized access

Who decides whether to grant a vendor an extension of the embargo?

The finder

What is the limitation of DPI in preventing users from bypassing a firewall?

It cannot entirely prevent users from bypassing a firewall

What is the primary goal of Passive DNS services?

To increase transparency in domain name lookups

What is the purpose of a firewall in the context of perimeter security?

To allow access to specific services

What is the benefit of responsible disclosure, according to its proponents?

It gives vendors the opportunity to investigate the issue thoroughly

What is the main difference between full disclosure and responsible disclosure?

Responsible disclosure notifies the vendor, while full disclosure does not

What is the primary goal of data exfiltration prevention?

To prevent unauthorized data transfer

What is a common problem that can be exploited by attackers using the systems mentioned in the case study?

Information leakage in domain name systems

What is the nature of the cat-and-mouse game between attackers and defenders in the context of data exfiltration prevention?

A constant evolution of attacks and countermeasures

What is a consequence of TLS interception?

Decreased security of encrypted communications

What metrics are used to evaluate the accuracy of a NIDS?

True positive rate, false negative rate, false positive rate, and true negative rate

Why do even accurate NIDS generate many false positives?

Because malicious traffic is much less frequent than normal traffic

What is the base rate in the example of a hypothetical NIDS?

1 out of every 100,000 packets has a malicious payload

What is the consequence of a NIDS with a 99.9% accuracy rate in the example?

The NIDS will generate more false alarms than true alarms

What is the main issue in practical NIDS regarding false alarms and real alarms?

The imbalance is one of the most pressing issues in practical NIDS

Study Notes

Vulnerability Handling

An exploit is often developed to take advantage of a vulnerability, and a vendor cannot fix a vulnerability until they are aware of it.
Unreported vulnerabilities can remain unfixed for a long time and are referred to as 'zero days' or '0-days'.

Full Disclosure vs. Responsible Disclosure

There are two approaches to publishing vulnerabilities: full disclosure and responsible disclosure.
Full disclosure involves publicly disclosing the vulnerability without notifying the vendor in advance, which can put pressure on the vendor to release a fix quickly.
Responsible disclosure, also known as coordinated disclosure, involves informing the vendor first and giving them a specific timeframe to release a fix before going public.

Responsible Disclosure

The typical timeframe for responsible disclosure is 90 days, but vendors may request an extension.
The finder of the vulnerability has the discretion to grant an extension or not.
Responsible disclosure is not without flaws, and it can increase the effort for system administrators to contact domain owners to resolve problems.

Case Study: Reconnaissance

Whois is not the only system that leaks information, and attackers can use other systems like the Domain Name System to gather information.
Reverse DNS lookups can be used to look up hostnames given an IP address.
Certificate Transparency and Passive DNS can leak sensitive information to attackers, including hostnames of internal systems.
Port scanners can be used to enumerate all publicly reachable hosts and services.

Case Study: Perimeter Security via Firewalls

Firewalls can be configured to drop all packets that do not match a list of specific port numbers.
However, this assumption does not hold, as services can be reconfigured to listen on arbitrary ports.
Firewalls can be bypassed using ports that are commonly allowed in the firewall's configuration.
Deep Packet Inspection (DPI) can be used to check if packets contain data for a specific service, but it is an open debate whether DPI is an acceptable practice.

Case Study: Network Intrusion Detection Systems

Signature-based NIDS detect threats by matching network packets to known attack patterns.
Anomaly-based NIDS detect deviations from normal communication patterns.
Neither signature-based nor anomaly-based NIDS can detect all threats, as they are limited to network communication.
Encrypted traffic cannot be analyzed by NIDS, but this limitation can be overcome by using TLS interception.
TLS interception has been called into question, as it allows administrators to eavesdrop on encrypted communication.

Evaluating NIDS Accuracy

The accuracy of a NIDS is evaluated using four metrics: true positive rate, false negative rate, false positive rate, and true negative rate.
Even very accurate NIDS generate many false positives due to the base rate fallacy.
The imbalance between false alarms and real alarms is a significant issue in practical NIDS.

Learn about vulnerabilities, zero-days, and the approaches to publishing vulnerabilities, including full disclosure and responsible disclosure.

Make Your Own Quizzes and Flashcards

Convert your notes into interactive study material.