Web Technologies: 1.0, 2.0, and 3.0

Questions and Answers

Which characteristic primarily differentiates Web 3.0 from Web 2.0?

• Use of semantic web technologies and AI. (correct)
• Emphasis on read-only content.
• Reliance on static HTML pages.
• Focus on community-driven content creation.

In the context of network security, what is the primary purpose of a port scan?

• To monitor network traffic for malicious activity.
• To encrypt data transmitted over the network.
• To identify which ports on a network are open and accessible. (correct)
• To prevent unauthorized access to network resources.

Why is 'port hopping' an effective technique to circumvent port-based firewalls?

• It uses non-standard ports, which are typically open on most firewalls.
• It encrypts the data being transmitted, making it unreadable.
• It randomly changes ports and protocols during a session, avoiding fixed firewall rules. (correct)
• It tunnels traffic within commonly used services like HTTP.

In a cloud computing environment, what is the customer's responsibility regarding security in an IaaS model?

Securing the operating systems, applications, and data they deploy. (B)

What is the primary function of supply chain management (SCM) software?

To manage transactions, supplier relationships, and business processes related to the supply chain. (B)

Why can storing data in a SaaS environment pose a security risk?

Data is often stored in locations not under the organization's direct control. (B)

How does compliance impact an organization's security measures?

Compliance ensures that the organization meets minimum security-related requirements based on the data they handle. (C)

What is the primary purpose of the MITRE ATT&CK framework?

To classify attacks, identify attacker objectives, and assess risk. (D)

What is the key differentiator between a 'script kiddie' and a 'cybercriminal'?

Script kiddies use existing tools to attack, whereas cybercriminals may develop their own or operate as part of a larger criminal organization. (D)

Which phase of the cyberattack lifecycle involves an attacker determining the methods to compromise a target endpoint?

Weaponization (A)

How does a worm differ from a virus?

A worm self-replicates and spreads without needing to infect a host program, while a virus does. (C)

What is the main difference between a vulnerability and an exploit?

A vulnerability is a flaw, while an exploit is the tool used to take advantage of that flaw. (D)

What best describes the immediate aftermath of a successful cyberattack on a company's network?

Transfer of sensitive data to an external server. (A)

What distinguishes a botnet from individual bots?

A botnet is a network of compromised computers controlled by an attacker, while a bot is an individual compromised device. (D)

In the context of DDoS attacks, what is the purpose of an ICMP flood (Smurf attack)?

To leverage misconfigured network devices to amplify traffic to a target. (A)

What is the defining characteristic of an Advanced Persistent Threat (APT)?

They are deliberate, long-term, targeted attacks often backed by significant resources. (D)

What is the primary risk associated with using WEP (Wired Equivalent Privacy) in Wi-Fi networks?

WEP has well-known vulnerabilities, making it easy to compromise. (D)

What is the main limitation of perimeter-based network security in modern IT environments?

It fails to account for threats originating from within the network or those that bypass the perimeter. (B)

What primarily defines the purpose of a Demilitarized Zone (DMZ) in network architecture?

To act as a buffer between a private network and an untrusted network, like the Internet. (A)

What is a core principle of the Zero Trust security model?

Assume breach. (A)

Flashcards

What is an attack vector?

A path or tool that an attacker uses to target a network.

What is VoIP?

Voice communication over an IP-based network.

What is SaaS?

A category of cloud computing services where customers are provided access to a hosted application maintained by the service provider.

What is a port scan?

A method for determining which ports on a network are open.

What is a Vanilla scan?

A basic scan that attempts to connect to all 65,536 ports one at a time.

What is a SYN Scan?

In this scan only a SYN packet is sent, and the scanner waits for a SYN-ACK response.

FTP Bounce Scan

Scanning technique that disguises the sender's location by bouncing the packet through an FTP server.

What is port hopping?

A type of attack where ports and protocols are randomly changed during a session.

Describe SaaS.

Customers are provided access to an application running on a cloud infrastructure, without managing the underlying infrastructure.

Describe PaaS.

Customers can deploy applications onto the provider's cloud infrastructure but lack control of the underlying infrastructure.

Describe IaaS.

Customers can provision processing, storage, networks, and other computing resources and deploy operating systems and applications.

Supply Chain Management (SCM)

Software that manages supply chain transactions, supplier relationships, and various business processes.

Role-Based Access Control

Custom roles designed for granular access control over the functional areas of the web interface, CLI, and XML API.

Zero-day threat

A window of vulnerability that exists from the time a new threat is released until security vendors release a patch.

What is the MITRE ATT&CK framework?

A comprehensive matrix of tactics and techniques used by threat hunters, defenders, and red teams.

What is a script kiddie?

Someone with limited hacking skills who uses malware written by others.

Network Analyzers

Monitor and capture raw network traffic (packets).

Denial-of-Service (DoS)

Attacks that aim to shut down a machine or network.

What is a botnet?

A network of bots working together.

Advanced Persistent Threats (APTs)

Threats that are deliberate, focused, and designed to cause real damage.

Study Notes

• An attack vector refers to the path or tool an attacker uses to target a network.
• Web 2.0 apps are often available as software-as-a-service or web-based applications easily installed by end users.
• Web 2.0 refers to the new era of the World Wide Web characterized by user-generated content, interaction, collaboration, and the growth of social media.
• The Internet of Things (IoT) is a network of smart objects with embedded electronics, software, sensors, and network connectivity used to collect and share data.
• Voice over IP (VoIP) is a technology that provides voice communication over an IP-based network using software as a service (SaaS).

Web 1.0 vs 2.0 vs 3.0

• Web 1.0 is typically read-only, utilizes owned content, is visual/interactive, and uses home pages.
• Web 1.0 uses web pages, HTML/HTTP/URL/Portals, and directories, focusing on the company.
• Web 2.0 is strongly read-write, has shared content, is programmable, and uses wikis and blogs.
• Web 2.0 includes web service endpoints, XML/RSS, tagging the user, and focuses on the community.
• Web 3.0 is read-write-interact, uses consolidated content, is linked data, and incorporates waves and live streams.
• Web 3.0 includes data space, RDF/RDFS/OWL, user behavior, and focuses on the individual.
• Web 2.0 apps include file sync and sharing, instant messaging (IM), microblogging, web services, and cloud-based office productivity suites.
• Enterprise 2.0 is defined by Andrew McAfee as the use of emergent social software platforms within companies or with their partners or customers.
• Enterprise 2.0 includes cloud computing, consumerization, BYOD/BYOA, mobile computing, 5G cellular wireless, and Content Delivery Networks (CDN).
• Web 3.0 technologies include AI/machine learning, blockchain, data mining, mixed reality, and natural language.

Port Scanning

• Port scanning determines which ports on a network are open, numbered from 0 to 65535.
• Ports 0 to 1023 are "well-known ports" assigned by the Internet Assigned Numbers Authority (IANA).
• Port 20 (udp) is used for File Transfer Protocol (FTP) data transfer.
• Port 22 (tcp) is the Secure Shell (SSH) protocol for secure logins, ftp, and port forwarding.
• Port 23 (tcp) is the Telnet protocol for unencrypted text communications.
• Port 53 (udp) translates names of all computers on the internet to IP addresses using the Domain Name System (DNS).
• Port 80 (tcp) is the World Wide Web HTTP port.
• SYN Scan is referred to as a half-open scan, sending a SYN and waiting for a SYN-ACK response.
• XMAS and FIN Scans gather information without being logged by the target system.
• FTP Bounce Scan disguises the sender's location by bouncing the packet through an FTP server.
• Sweep scan pings the same port across computers to identify which ones are active.

Circumventing Port-Based Firewalls

• Exploitation of vulnerabilities in core business applications is a common attack vector.
• Port hopping randomly changes ports and protocols during a session.
• Non-standard ports utilize unconventional ports like running Yahoo! Messenger over TCP port 80 (HTTP).
• Tunneling within commonly used services involves P2P file sharing or instant messaging over HTTP.
• Hiding within SSL encryption which masks application traffic, is common, often over TCP port 443 (HTTPS).

Cloud Computing Service Models

• SaaS or Software as a service provides customers access to applications running on a cloud infrastructure, without managing the underlying infrastructure.
• PaaS or Platform as a service allows customers to deploy supported applications onto the provider's cloud infrastructure, controlling deployed applications and configurations.
• IaaS or Infrastructure as a service allows customers to provision processing, storage, networks, and other computing resources, controlling operating systems, storage, and deployed applications.

Supply Chain Management

• Supply chain management (SCM) software manages supply chain transactions, supplier relationships, and business processes.

Vulnerabilities in SaaS

• Data can be located in enterprise networks, out of the organization's control.
• "Role Based" allows custom roles to configure granular access control over web interface, CLI, XML, or API.
• "Dynamic" includes built-in roles which provides access to the firewall and auto updates when new features are added.
• Control data sharing from SaaS applications to stop SaaS-borne malware threats.

Governance, Regulation, and Compliance

• Compliance is based on data type and regulations, ensuring the organization meets minimum security requirements.
• Security involves technological programs, tools, and processes protecting business information and technology assets.
• Health Insurance Portability and Accountability Act (HIPAA) defines protected health information (PHI).
• Personally identifiable information (PII) is any information about an individual maintained by an agency.

MITRE ATT&CK

• The MITRE ATT&CK framework classifies attacks, identifies attribution/objective, and assesses risk.
• Common Vulnerabilities and Exposures (CVE) is a system for referencing vulnerabilities.
• The Common Vulnerability Scoring System (CVSS) enumerates vulnerabilities and generates a severity score.

Attacker Profiles

• Hackers circumvent computer security with malicious intent.
• Script kiddies use others' malware to attack systems.
• Cybercriminals commit data theft, embezzlement, fraud, or extortion.
• State-affiliated groups launch sophisticated, well-funded attacks.
• Hacktivists execute DoS attacks for political/social causes with website defacement/network flooding.
• Cyberterrorists use the internet to recruit, train, instruct, communicate, and spread fear.

Cyberattack Lifecycle

• Network analyzers/packet sniffers monitor and capture raw network traffic, such as tcpdump and Wireshark.
• Network vulnerability scanners probe for network vulnerabilities using password crackers, port scanners, and vulnerability scanners.
• Examples of network vulnerability scanners are Nessus and SAINT.
• Password crackers perform brute-force dictionary attacks, such as John the Ripper and THC Hydra.
• Port scanners probe for open TCP/UDP ports, like Nmap and Nessus.
• Web application vulnerability scanners scan for vulnerabilities like cross-site scripting, SQL injection, and directory traversal, such as Burp Suite and OWASP ZAP.
• Wi-Fi vulnerability scanners scan wireless networks for vulnerabilities like open access points to capture network traffic to crack wireless passwords, Aircrack-ng and Wifite.
• Attackers determine methods to compromise a target endpoint through weaponization.
• Attackers attempt to deliver a weaponized payload via email, instant messaging, or drive-by download through delivery.
• A weaponized payload must be triggered for exploitation.
• An attacker escalates privileges on the compromised endpoint for installation and establishes remote shell access/installs root kits.
• Attackers establish encrypted communication channels back to command-and-control (C2) servers to modify attack objectives.

Malware and Ransomware

• Malware is malicious software or code that takes control of, collects information from, or damages an infected endpoint.
• Viruses self-replicate by infecting a host program that executed by a user/process.
• Worms rapidly replicate across a computer network to spread.
• Trojan horses are disguised as harmless programs but give attackers full control of an endpoint.
• Ransomware locks the computer or encrypts data on an infected endpoint with an attacker-controlled encryption key.
• Anti-AV malware disables installed antivirus software.
• Logic bombs are triggered by a specified condition.
• Back doors allow attackers to bypass authentication.
• Rootkits provide privileged access to a computer; boot kits are kernel-mode variants of rootkits that attack computers that are protected by full-disk encryption.
• Spyware and adware collect information from infected endpoints, such as internet surfing behavior, login credentials, and financial account information.

Vulnerabilities vs Exploits

• An exploit takes advantage of a vulnerability in software, causing the software to perform functions or execute code on behalf of the attacker.

Chain of Events Following an Attack

• Data theft allows sensitive company data to be copied or transferred to an attacker's server.
• Shutdown involves an attacker shutting down machines or bringing down a company's network.
• Reboot involves infected computers may repeatedly shutdown and reboot.

Bots vs Botnets

• Bots are individual endpoints infected with advanced malware.
• A botnet is a coordinated network of bots under the control of attackers.

DDoS Attacks

• DoS is an attack meant to shut down a machine or network, rendering it inaccessible to intended users.
• Buffer overflow attacks send more traffic to a network address than the system can handle.
• ICMP flood leverages misconfigured network devices by sending spoofed packets, amplified by the network

APTs

• Advanced persistent threats (APTs) are deliberate and focus on causing real damage.
• Advanced attackers have skills/resources to develop cyberattack tools, access electronic surveillance equipment, satellite imagery, and human intelligence assets.
• Persistent attacks take place over years using a "low-and-slow" approach with substantial financial backing.

Wi-Fi Network Risks

• Wired Equivalent Privacy (WEP) was the wireless industry's first attempt at security, possessing well-known weaknesses.
• Evil Twin involves setting up a wireless access point bridge-to a real network.

Perimeter-Based Network Security

• Perimeter-based network security models date to the early mainframe era.

DMZ

• The DMZ network is a perimeter network providing extra security to an organization's internal network.

Trusted Network to Untrusted Network Transition

• A firewall controls traffic between trusted (corporate LAN) and untrusted (internet) networks.
• Packet filtering firewalls operate up to Layer 4, inspecting packet headers for IP address, protocol, and port number.
• Stateful packet inspection firewalls operate up to Layer 4 and maintain communication sessions.
• Application firewalls Third-generation operate up to Layer 7 and control access to specific applications/services.

North-South and East-West Zones

• North-south refers to data packets moving in and out of the virtualized environment from the host network.
• East-west refers to data packets moving between virtual workloads within the private cloud.

Zero Trust

• The Zero Trust security model removes the assumption of trust.
• It ensures all resources are accessed securely, regardless of location.
• It adopts a least privilege strategy and strictly enforces access control.
• Compliance to Inspect and log all traffic by always verifying adequate protection with strict enforcement.

Integration of Services

• With network security, integrate threat intelligence natively, protecting against known/unknown threats, automated, and delivering persistent protection to provide full visibility into activity on the network, endpoint, and cloud.