Cisco CCNP Security Core - SCOR 350-701 Official Certification Guide PDF

xxxi Introduction The Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) exam is the required “core” exam for the CCNP Security and CCIE Security certifications. If you pass the SCOR 350-701 exam, you also obtain the Cisco Certified Specialist–Security Core Certification. This exam covers core security technologies, including cybersecurity fundamentals, network security, cloud security, identity management, secure network access, endpoint protection and detection, and visibility and enforcement. The Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) is a 120-minute exam. TIP You can review the exam blueprint from Cisco’s website at https://learningnetwork. cisco.com/s/scor-exam-topics. This book gives you the foundation and covers the topics necessary to start your CCNP Security or CCIE Security journey. The CCNP Security Certification The CCNP Security certification is one of the industry’s most respected certifications. In order for you to earn the CCNP Security certification, you must pass two exams: the SCOR exam covered in this book (which covers core security technologies) and one secu- rity concentration exam of your choice, so you can customize your certification to your technical area of focus. TIP The SCOR core exam is also the qualifying exam for the CCIE Security certification. Passing this exam is the first step toward earning both of these certifications. The following are the CCNP Security concentration exams: Securing Networks with Cisco Firepower (SNCF 300-710) Implementing and Configuring Cisco Identity Services Engine (SISE 300-715) Securing Email with Cisco Email Security Appliance (SESA 300-720) Securing the Web with Cisco Web Security Appliance (SWSA 300-725) Implementing Secure Solutions with Virtual Private Networks (SVPN 300-730) Automating Cisco Security Solutions (SAUTO 300-735) TIP CCNP Security now includes automation and programmability to help you scale your security infrastructure. If you pass the Developing Applications Using Cisco Core Platforms and APIs v1.0 (DEVCOR 350-901) exam, the SCOR exam, and the Automating Cisco Security Solutions (SAUTO 300-735) exam, you will achieve the CCNP Security and DevNet Professional certifications with only three exams. Every exam earns an individual Specialist certification, allowing you to get recognized for each of your accomplishments, instead of waiting until you pass all the exams. From the Library of William Timothy Ray Murray xxxii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide There are no formal prerequisites for CCNP Security. In other words, you do not have to pass the CCNA Security or any other certifications in order to take CCNP-level exams. The same goes for the CCIE exams. On the other hand, CCNP candidates often have three to five years of experience in IT and cybersecurity. Cisco considers ideal candidates to be those that possess the following: Knowledge of implementing and operating core security technologies Understanding of cloud security Hands-on experience with Cisco Secure Firewalls, intrusion prevention systems (IPSs), and other network infrastructure devices Understanding of content security, endpoint protection and detection, and secure network access, visibility, and enforcement Understanding of cybersecurity concepts with hands-on experience in implementing security controls The CCIE Security Certification The CCIE Security certification is one of the most admired and elite certifications in the industry. The CCIE Security program prepares you to be a recognized technical leader. In order to earn the CCIE Security certification, you must pass the SCOR 350-701 exam and an 8-hour, hands-on lab exam. The lab exam covers very complex network security scenarios. These scenarios range from designing through deploying, operating, and optimizing security solutions. Cisco considers ideal candidates to be those who possess the following: Extensive hands-on experience with Cisco’s security portfolio Experience deploying Cisco Secure Firewalls and IPS devices Experience with cloud security solutions Deep understanding of secure connectivity and segmentation solutions Hands-on experience with infrastructure device hardening and infrastructure security Configuring and troubleshooting identity management, information exchange, and access control Deep understanding of advanced threat protection and content security The Exam Objectives (Domains) The Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) exam is broken down into six major domains. The contents of this book cover each of the domains and the subtopics included in them, as illustrated in the following descriptions. From the Library of William Timothy Ray Murray The Exam Objectives (Domains) xxxiii The following table breaks down each of the domains represented in the exam. Domain Percentage of Representation in Exam 1: Security Concepts 25% 2: Network Security 20% 3: Securing the Cloud 15% 4: Content Security 15% 5: Endpoint Protection and Detection 10% 6: Secure Network Access, Visibility, and 15% Enforcement Total 100% Here are the details of each domain: Domain 1: Monitoring and Reporting: This domain is covered in Chapters 1, 2, 3, and 8. 1.1 Explain common threats against on-premises and cloud environments 1.1.a On-premises: viruses, trojans, DoS/DDoS attacks, phishing, rootkits, man-in-the-middle attacks, SQL injection, cross-site scripting, malware 1.1.b Cloud: data breaches, insecure APIs, DoS/DDoS, compromised credentials 1.2 Compare common security vulnerabilities such as software bugs, weak and/or hard- coded passwords, SQL injection, missing encryption, buffer overflow, path traversal, cross-site scripting/forgery 1.3 Describe functions of the cryptography components such as hashing, encryp- tion, PKI, SSL, IPsec, NAT-T IPv4 for IPsec, pre-shared key, and certificate-based authorization 1.4 Compare site-to-site VPN and remote access VPN deployment types such as sVTI, IPsec, Cryptomap, DMVPN, FLEXVPN, including high availability considerations, and AnyConnect 1.5 Describe security intelligence authoring, sharing, and consumption 1.6 Explain the role of the endpoint in protecting humans from phishing and social engineering attacks 1.7 Explain northbound and southbound APIs in the SDN architecture 1.8 Explain DNAC APIs for network provisioning, optimization, monitoring, and troubleshooting 1.9 Interpret basic Python scripts used to call Cisco Security appliances APIs Domain 2: Network Security: This domain is covered primarily in Chapters 5, 6, and 7. 2.1 Compare network security solutions that provide intrusion prevention and firewall capabilities 2.2 Describe deployment models of network security solutions and architectures that provide intrusion prevention and firewall capabilities 2.3 Describe the components, capabilities, and benefits of NetFlow and Flexible NetFlow records From the Library of William Timothy Ray Murray xxxiv CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide 2.4 Configure and verify network infrastructure security methods (router, switch, wireless) 2.4.a Layer 2 methods (network segmentation using VLANs; Layer 2 and port security; DHCP snooping; Dynamic ARP inspection; storm control; PVLANs to segregate network traffic; and defenses against MAC, ARP, VLAN hopping, STP, and DHCP rogue attacks) 2.4.b Device hardening of network infrastructure security devices (control plane, data plane, and management plane) 2.5 Implement segmentation, access control policies, AVC, URL filtering, and malware protection 2.6 Implement management options for network security solutions such as intrusion prevention and perimeter security (single vs. multidevice manager, in-band vs. out-of- band, CDP, DNS, SCP, SFTP, and DHCP security and risks) 2.7 Configure AAA for device and network access (authentication and authorization, TACACS+, RADIUS and RADIUS flows, accounting, and dACL) 2.8 Configure secure network management of perimeter security and infrastructure devices such as SNMPv3, NETCONF, RESTCONF, APIs, secure syslog, and NTP with authentication 2.9 Configure and verify site-to-site VPN and remote access VPN 2.9.a Site-to-site VPN utilizing Cisco routers and IOS 2.9.b Remote-access VPN using Cisco AnyConnect Secure Mobility client 2.9.c Debug commands to view IPsec tunnel establishment and troubleshooting Domain 3: Securing the Cloud: This domain is covered primarily in Chapter 9. 3.1 Identify security solutions for cloud environments 3.1.a Public, private, hybrid, and community clouds 3.1.b Cloud service models: SaaS, PaaS, and IaaS (NIST 800-145) 3.2 Compare the customer vs. provider security responsibility for the different cloud service models 3.2.a Patch management in the cloud 3.2.b Security assessment in the cloud 3.2.c Cloud-delivered security solutions such as firewall, management, proxy, security intelligence, and CASB 3.3 Describe the concept of DevSecOps (CI/CD pipeline, container orchestration, and security) 3.4 Implement application and data security in cloud environments 3.5 Identify security capabilities, deployment models, and policy management to secure the cloud 3.6 Configure cloud logging and monitoring methodologies 3.7 Describe application and workload security concepts From the Library of William Timothy Ray Murray The Exam Objectives (Domains) xxxv Domain 4: Content Security: This domain is covered primarily in Chapter 10. 4.1 Implement traffic redirection and capture methods 4.2 Describe web proxy identity and authentication, including transparent user identification 4.3 Compare the components, capabilities, and benefits of local and cloud-based email and web solutions (ESA, CES, WSA) 4.4 Configure and verify web and email security deployment methods to protect on- premises and remote users (inbound and outbound controls and policy management) 4.5 Configure and verify email security features such as SPAM filtering, antimalware filtering, DLP, blacklisting, and email encryption 4.6 Configure and verify secure Internet gateway and web security features such as blacklisting, URL filtering, malware scanning, URL categorization, web application filtering, and TLS decryption 4.7 Describe the components, capabilities, and benefits of Cisco Umbrella 4.8 Configure and verify web security controls on Cisco Umbrella (identities, URL content settings, destination lists, and reporting) Domain 5: Endpoint Protection and Detection: This domain is covered primarily in Chapter 11. 5.1 Compare Endpoint Protection Platforms (EPPs) and Endpoint Detection & Response (EDR) solutions 5.2 Explain antimalware, retrospective security, Indicator of Compromise (IOC), antivirus, dynamic file analysis, and endpoint-sourced telemetry 5.3 Configure and verify outbreak control and quarantines to limit infection 5.4 Describe justifications for endpoint-based security 5.5 Describe the value of endpoint device management and asset inventory such as MDM 5.6 Describe the uses and importance of a multifactor authentication (MFA) strategy 5.7 Describe endpoint posture assessment solutions to ensure endpoint security 5.8 Explain the importance of an endpoint patching strategy Domain 6: Secure Network Access, Visibility, and Enforcement: This domain is covered primarily in Chapters 4 and 5. 6.1 Describe identity management and secure network access concepts such as guest services, profiling, posture assessment, and BYOD 6.2 Configure and verify network access device functionality such as 802.1X, MAB, and WebAuth 6.3 Describe network access with CoA 6.4 Describe the benefits of device compliance and application control 6.5 Explain exfiltration techniques (DNS tunneling, HTTPS, email, FTP/SSH/SCP/SFTP, ICMP, Messenger, IRC, and NTP) From the Library of William Timothy Ray Murray xxxvi CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide 6.6 Describe the benefits of network telemetry 6.7 Describe the components, capabilities, and benefits of these security products and solutions: 6.7.a Cisco Secure Network Analytics 6.7.b Cisco Stealthwatch Cloud 6.7.c Cisco pxGrid 6.7.d Cisco Umbrella Investigate 6.7.e Cisco Cognitive Threat Analytics 6.7.f Cisco Encrypted Traffic Analytics 6.7.g Cisco AnyConnect Network Visibility Module (NVM) Steps to Pass the SCOR Exam There are no prerequisites for the SCOR exam. However, students must have an understanding of networking and cybersecurity concepts. Signing Up for the Exam The steps required to sign up for the Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) exam: 1. Create a Certiport account at https://www.certiport.com/portal/SSL/Login.aspx. 2. Once you have logged in, make sure that “Test Candidate” from the drop-down menu is selected. 3. Click on the Shop Available Exams button. 4. Select the Schedule exam button under the exam you wish to take. 5. Verify your information and continue throughout the next few screens. 6. On the Enter payment and billing page, click on Add Voucher or Promo Code button if applicable. Enter the voucher number or promo/discount code in the field below and click the Apply button. 7. Continue through the next two screens to finish scheduling your exam. Facts About the Exam The exam is a computer-based test. The exam consists of multiple-choice questions only. You must bring a government-issued identification card. No other forms of ID will be accepted. You can take the exam at a Pearson Vue center or online via the OnVUE plat- form. Visit the OnVUE page for your exam program: https://home.pearsonvue.com/Test- takers/OnVUE-online-proctoring/View-all.aspx. Once there, navigate to the FAQs section of the page, where you’ll find helpful informa- tion on everything from scheduling your exam to system requirements, testing policies, and more. TIP Refer to the Cisco Certification site at https://cisco.com/go/certifications for more information regarding this, and other, Cisco certifications. From the Library of William Timothy Ray Murray Facts About the Exam xxxvii About the CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide This book maps directly to the topic areas of the SCOR exam and uses a number of features to help you understand the topics and prepare for the exam. Objectives and Methods This book uses several key methodologies to help you discover the exam topics that need more review, to help you fully understand and remember those details, and to help you prove to yourself that you have retained your knowledge of those topics. This book does not try to help you pass the exam only by memorization; it seeks to help you to truly learn and understand the topics. This book is designed to help you pass the Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) exam by using the following methods: Helping you discover which exam topics you have not mastered Providing explanations and information to fill in your knowledge gaps Supplying exercises that enhance your ability to recall and deduce the answers to test questions Providing practice exercises on the topics and the testing process via test questions on the companion website Book Features To help you customize your study time using this book, the core chapters have several features that help you make the best use of your time: Foundation Topics: These are the core sections of each chapter. They explain the concepts for the topics in that chapter. Exam Preparation Tasks: After the “Foundation Topics” section of each chapter, the “Exam Preparation Tasks” section lists a series of study activities that you should do at the end of the chapter: Review All Key Topics: The Key Topic icon appears next to the most important items in the “Foundation Topics” section of the chapter. The Review All Key Topics activity lists the key topics from the chapter, along with their page num- bers. Although the contents of the entire chapter could be on the exam, you should definitely know the information listed in each key topic, so you should review these. Define Key Terms: Although the Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) exam may be unlikely to ask a question such as “Define this term,” the exam does require that you learn and know a lot of cybersecurity terminology. This section lists the most important terms from the chapter, asking you to write a short definition and compare your answer to the glossary at the end of the book. From the Library of William Timothy Ray Murray xxxviii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Review Questions: Confirm that you understand the content you just covered by answering these questions and reading the answer explanations. Web-based practice exam: The companion website includes the Pearson Cert Practice Test engine, which allows you to take practice exam questions. Use it to prepare with a sample exam and to pinpoint topics where you need more study. How This Book Is Organized This book contains 11 core chapters—Chapters 1 through 11. Chapter 12 includes prepa- ration tips and suggestions for how to approach the exam. Each core chapter covers a subset of the topics on the Implementing and Operating Cisco Security Core Technolo- gies (SCOR 350-701) exam. The core chapters map to the SCOR topic areas and cover the concepts and technologies you will encounter on the exam. The Companion Website for Online Content Review All the electronic review elements, as well as other electronic components of the book, exist on this book’s companion website. To access the companion website, which gives you access to the electronic content with this book, start by establishing a login at www.ciscopress.com and registering your book. To do so, simply go to www.ciscopress.com/register and enter the ISBN of the print book: 9780138221263. After you have registered your book, go to your account page and click the Registered Products tab. From there, click the Access Bonus Content link to get access to the book’s companion website. Note that if you buy the Premium Edition eBook and Practice Test version of this book from Cisco Press, your book will automatically be registered on your account page. Simply go to your account page, click the Registered Products tab, and select Access Bonus Content to access the book’s companion website. Please note that many of our companion content files can be very large, especially image and video files. If you are unable to locate the files for this title by following the steps above, please visit www.pearsonITcertification.com/contact and select the Site Problems/Comments option. Our customer service representatives will assist you. How to Access the Pearson Test Prep (PTP) App You have two options for installing and using the Pearson Test Prep application: a web app and a desktop app. To use the Pearson Test Prep application, start by finding the registration code that comes with the book. You can find the code in these ways: Print book or bookseller eBook versions: You can get your access code by register- ing the print ISBN (9780138221263) on ciscopress.com/register. Make sure to use the print book ISBN regardless of whether you purchased an eBook or the print book. Once you register the book, your access code will be populated on your account page under the Registered Products tab. Instructions for how to redeem the code are available on the book’s companion website by clicking the Access Bonus Content link. From the Library of William Timothy Ray Murray The Companion Website for Online Content Review xxxix Premium Edition: If you purchase the Premium Edition eBook and Practice Test directly from the Cisco Press website, the code will be populated on your account page after purchase. Just log in at ciscopress.com, click Account to see details of your account, and click the digital purchases tab. NOTE After you register your book, your code can always be found in your account under the Registered Products tab. Once you have the access code, to find instructions about both the PTP web app and the desktop app, follow these steps: Step 1. Open this book’s companion website, as shown earlier in this Introduction under the heading “The Companion Website for Online Content Review.” Step 2. Click the Practice Exams button. Step 3. Follow the instructions listed there both for installing the desktop app and for using the web app. Note that if you want to use the web app only at this point, just navigate to pearsontest- prep.com, log in using the same credentials used to register your book or purchase the Premium Edition, and register this book’s practice tests using the registration code you just found. The process should take only a couple of minutes. Customizing Your Exams Once you are in the exam settings screen, you can choose to take exams in one of three modes: Study mode: Allows you to fully customize your exams and review answers as you are taking the exam. This is typically the mode you would use first to assess your knowledge and identify information gaps. Practice Exam mode: Locks certain customization options, as it is presenting a realistic exam experience. Use this mode when you are preparing to test your exam readiness. Flash Card mode: Strips out the answers and presents you with only the question stem. This mode is great for late-stage preparation when you really want to challenge yourself to provide answers without the benefit of seeing multiple-choice options. This mode does not provide the detailed score reports that the other two modes do, so you should not use it if you are trying to identify knowledge gaps. In addition to these three modes, you will be able to select the source of your questions. You can choose to take exams that cover all of the chapters or you can narrow your selection to just a single chapter or the chapters that make up specific parts in the book. All chapters are selected by default. If you want to narrow your focus to individual chapters, simply deselect all the chapters and then select only those on which you wish to focus in the Objectives area. From the Library of William Timothy Ray Murray xl CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide You can also select the exam banks on which to focus. Each exam bank comes complete with a full exam of questions that cover topics in every chapter. The two exams printed in the book are available to you as well as two additional exams of unique questions. You can have the test engine serve up exams from all four banks or just from one individual bank by selecting the desired banks in the exam bank area. There are several other customizations you can make to your exam from the exam set- tings screen, such as the time of the exam, the number of questions served up, whether to randomize questions and answers, whether to show the number of correct answers for multiple-answer questions, and whether to serve up only specific types of questions. You can also create custom test banks by selecting only questions that you have marked or questions on which you have added notes. Updating Your Exams If you are using the online version of the Pearson Test Prep software, you should always have access to the latest version of the software as well as the exam data. If you are using the Windows desktop version, every time you launch the software while connected to the Internet, it checks if there are any updates to your exam data and automatically downloads any changes that were made since the last time you used the software. Sometimes, due to many factors, the exam data may not fully download when you acti- vate your exam. If you find that figures or exhibits are missing, you may need to manu- ally update your exams. To update a particular exam you have already activated and downloaded, simply click the Tools tab and click the Update Products button. Again, this is only an issue with the desktop Windows application. If you wish to check for updates to the Pearson Test Prep exam engine software, Windows desktop version, simply click the Tools tab and click the Update Application button. This ensures that you are running the latest version of the software engine. From the Library of William Timothy Ray Murray This page intentionally left blank From the Library of William Timothy Ray Murray CHAPTER 1 Cybersecurity Fundamentals This chapter covers the following topics: Introduction to Cybersecurity: Cybersecurity programs recognize that organizations must be vigilant, resilient, and ready to protect and defend every ingress and egress con- nection as well as organizational data wherever it is stored, transmitted, or processed. In this chapter, you will learn concepts of cybersecurity and information security. Defining What Are Threats, Vulnerabilities, and Exploits: Describe the difference between cybersecurity threats, vulnerabilities, and exploits. Exploring Common Threats: Describe and understand the most common cybersecurity threats. Common Software and Hardware Vulnerabilities: Describe and understand the most common software and hardware vulnerabilities. Confidentiality, Integrity, and Availability: The CIA triad is a concept that was created to define security policies to protect assets. The idea is that confidentiality, integrity and availability should be guaranteed in any system that is considered secured. Cloud Security Threats: Learn about different cloud security threats and how cloud computing has changed traditional IT and is introducing several security challenges and benefits at the same time. IoT Security Threats: The proliferation of connected devices is introducing major cybersecurity risks in today’s environment. An Introduction to Digital Forensics and Incident Response: You will learn the con- cepts of digital forensics and incident response (DFIR) and cybersecurity operations. This chapter starts by introducing you to different cybersecurity concepts that are foun- dational for any individual starting a career in cybersecurity or network security. You will learn the difference between cybersecurity threats, vulnerabilities, and exploits. You will also explore the most common cybersecurity threats, as well as common software and hardware vulnerabilities. You will learn the details about the CIA triad—confidentiality, integrity, and availability. In this chapter, you will learn about different cloud security and IoT security threats. This chapter concludes with an introduction to DFIR and security operations. The following SCOR 350-701 exam objectives are covered in this chapter: 1.1 Explain common threats against on-premises and cloud environments 1.1.a On-premises: viruses, Trojans, DoS/DDoS attacks, phishing, rootkits, man-in-the-middle attacks, SQL injection, cross-site scripting, malware From the Library of William Timothy Ray Murray 1.1.b Cloud: data breaches, insecure APIs, DoS/DDoS, compromised credentials 1.2 Compare common security vulnerabilities such as software bugs, weak and/or hardcoded passwords, SQL injection, missing encryption, buffer overflow, path traversal, cross-site scripting/forgery 1.5 Describe security intelligence authoring, sharing, and consumption 1.6 Explain the role of the endpoint in protecting humans from phishing and social engineering attacks “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 1-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Q&A Sections.” Table 1-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Introduction to Cybersecurity 1 Defining What Are Threats, Vulnerabilities, and Exploits 2–6 Common Software and Hardware Vulnerabilities 7–10 Confidentiality, Integrity, and Availability 11–13 Cloud Security Threats 14–15 IoT Security Threats 16–17 An Introduction to Digital Forensics and Incident Response 18 CAUTION The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you incorrectly guess skews your self-assessment results and might provide you with a false sense of security. 1. Which of the following is a collection of industry standards and best practices to help organizations manage cybersecurity risks? a. MITRE b. NIST Cybersecurity Framework c. ISO Cybersecurity Framework d. CERT/cc From the Library of William Timothy Ray Murray 4 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide 2. _________ is any potential danger to an asset. a. Vulnerability b. Threat c. Exploit d. None of these answers are correct. 3. A ___________ is a weakness in the system design, implementation, software, or code, or the lack of a mechanism. a. Vulnerability b. Threat c. Exploit d. None of these answers are correct. 4. Which of the following is a piece of software, a tool, a technique, or a process that takes advantage of a vulnerability that leads to access, privilege escalation, loss of integrity, or denial of service on a computer system? a. Exploit b. Reverse shell c. Searchsploit d. None of these answers are correct. 5. Which of the following is referred to as the knowledge about an existing or emerging threat to assets, including networks and systems? a. Exploits b. Vulnerabilities c. Threat assessment d. Threat intelligence 6. Which of the following are examples of malware attack and propagation mechanisms? a. Master boot record infection b. File infector c. Macro infector d. All of these answers are correct. 7. Vulnerabilities are typically identified by a ___________. a. CVE b. CVSS c. PSIRT d. None of these answers are correct. 8. SQL injection attacks can be divided into which of the following categories? a. Blind SQL injection b. Out-of-band SQL injection c. In-band SQL injection d. All of these answers are correct. From the Library of William Timothy Ray Murray Chapter 1: Cybersecurity Fundamentals 5 9. Which of the following is a type of vulnerability where the flaw is in a web application but the attack is against an end user (client)? 1 a. XXE b. HTML injection c. SQL injection d. XSS 10. Which of the following is a way for an attacker to perform a session hijack attack? a. Predicting session tokens b. Session sniffing c. Man-in-the-middle attack d. Man-in-the-browser attack e. All of these answers are correct. 11. A denial-of-service attack impacts which of the following? a. Integrity b. Availability c. Confidentiality d. None of these answers are correct. 12. Which of the following are examples of security mechanisms designed to preserve confidentiality? a. Logical and physical access controls b. Encryption c. Controlled traffic routing d. All of these answers are correct. 13. An attacker is able to manipulate the configuration of a router by stealing the adminis- trator credential. This attack impacts which of the following? a. Integrity b. Session keys c. Encryption d. None of these answers are correct. 14. Which of the following is a cloud deployment model? a. Public cloud b. Community cloud c. Private cloud d. All of these answers are correct. 15. Which of the following cloud models include all phases of the system development life cycle (SDLC) and can use application programming interfaces (APIs), website portals, or gateway software? a. SaaS b. PaaS c. SDLC containers d. None of these answers are correct. From the Library of William Timothy Ray Murray 6 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide 16. Which of the following is not a communications protocol used in IoT environments? a. Zigbee b. INSTEON c. LoRaWAN d. 802.1X 17. Which of the following is an example of tools and methods to hack IoT devices? a. UART debuggers b. JTAG analyzers c. IDA d. Ghidra e. All of these answers are correct. 18. Which of the following is an adverse event that threatens business security and/or disrupts service? a. An incident b. An IPS alert c. A DLP alert d. A SIEM alert Foundation Topics Introduction to Cybersecurity In today’s highly interconnected world, our individual and collective actions can have a pro- found impact, either for good or for ill. It is in this context that cybersecurity plays a crucial role, safeguarding not only our personal data but also our economy, critical infrastructure, and national security against the risks posed by inadvertent or intentional misuse, compro- mise, or destruction of information and information systems. However, the scope of cybersecurity risk extends beyond just data breaches to encompass the entire organization’s operations that rely on digitization and accessibility, making it more crucial than ever for businesses to develop an effective cybersecurity program. It is no lon- ger sufficient to delegate this responsibility solely to the IT team; rather, every individual within an organization must take an active role in mitigating these risks, from entry-level employees to the board of directors. Developing and maintaining robust cybersecurity measures are vital aspects of organiza- tional strategy in today’s digital landscape. By doing so, we can ensure that our information systems remain secure and that our collective actions lead to positive outcomes for all. Cybersecurity vs. Information Security (InfoSec) Many individuals confuse traditional information security with cybersecurity. In the past, information security programs and policies were designed to protect the confidentiality, integrity, and availability of data within the confines of an organization. Unfortunately, this is no longer sufficient. Organizations are rarely self-contained, and the price of interconnec- tivity is exposure to attack. Every organization, regardless of size or geographic location, is a potential target. Cybersecurity is the process of protecting information by preventing, detecting, and responding to attacks. From the Library of William Timothy Ray Murray Chapter 1: Cybersecurity Fundamentals 7 Cybersecurity programs recognize that organizations must be vigilant, resilient, and ready to protect and defend every ingress and egress connection as well as organizational data wher- 1 ever it is stored, transmitted, or processed. Cybersecurity programs and policies expand and build upon traditional information security programs, but also include the following: Cyber risk management and oversight Threat intelligence and information sharing Third-party organization, software, and hardware dependency management Incident response and resiliency Threat hunting and adversarial emulation The NIST Cybersecurity Framework The National Institute of Standards and Technology (NIST) is a well-known organization that is part of the U.S. Department of Commerce. NIST is a nonregulatory federal agency within the U.S. Commerce Department’s Technology Administration. NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve quality of life. The Computer Security Division (CSD) is one of seven divisions within NIST’s Information Technology Laboratory. NIST’s Cybersecurity Frame- work is a collection of industry standards and best practices to help organizations manage cybersecurity risks. This framework is created in collaboration among the United States gov- ernment, corporations, and individuals. The NIST Cybersecurity Framework can be accessed at https://www.nist.gov/cyberframework. The NIST Cybersecurity Framework is developed with a common taxonomy, and one of the main goals is to address and manage cybersecurity risk in a cost-effective way to protect critical infrastructure. Although designed for a specific constituency, the requirements can serve as a security blueprint for any organization. Additional NIST Guidance and Documents Currently, there are more than 500 NIST information security–related documents. This num- ber includes FIPS, the SP 800 series, information, Information Technology Laboratory (ITL) bulletins, and NIST interagency reports (NIST IR): Federal Information Processing Standards (FIPS): This is the official publication series for standards and guidelines. Special Publication (SP) 800 series: This series reports on ITL research, guidelines, and outreach efforts in information system security and its collaborative activities with industry, government, and academic organizations. SP 800 series documents can be downloaded from https://csrc.nist.gov/publications/sp800. Special Publication (SP) 1800 series: This series focuses on cybersecurity practices and guidelines. SP 1800 series documents can be downloaded from https://csrc.nist. gov/publications/sp1800. NIST Internal or Interagency Reports (NISTIR): These reports focus on research findings, including background information for FIPS and SPs. From the Library of William Timothy Ray Murray 8 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide ITL bulletins: Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Bulletins are issued on an as-needed basis. From access controls to wireless security, the NIST publications are truly a treasure trove of valuable and practical guidance. The International Organization for Standardization (ISO) ISO is a network of national standards institutes of more than 160 countries. ISO has developed more than 13,000 international standards on a variety of subjects, ranging from country codes to passenger safety. The ISO/IEC 27000 series (also known as the ISMS Family of Standards, or ISO27k for short) comprises information security standards published jointly by the ISO and the International Electrotechnical Commission (IEC). The first six documents in the ISO/IEC 27000 series provide recommendations for “establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System”: ISO 27001 is the specification for an Information Security Management System (ISMS). ISO 27002 describes the Code of Practice for information security management. ISO 27003 provides detailed implementation guidance. ISO 27004 outlines how an organization can monitor and measure security using met- rics. ISO 27005 defines the high-level risk management approach recommended by ISO. ISO 27006 outlines the requirements for organizations that will measure ISO 27000 compliance for certification. In all, there are more than 20 documents in the series, and several more are still under devel- opment. The framework is applicable to public and private organizations of all sizes. Accord- ing to the ISO website, “the ISO standard gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintain- ing security in their organization. It is intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.” Defining What Are Threats, Vulnerabilities, and Exploits In the following sections you will learn about the characteristics of threats, vulnerabilities, and exploits. What Is a Threat? A threat is any potential danger to an asset. If a vulnerability exists but has not yet been exploited—or, more importantly, it is not yet publicly known—the threat is latent and not yet realized. If someone is actively launching an attack against your system and successfully From the Library of William Timothy Ray Murray Chapter 1: Cybersecurity Fundamentals 9 accesses something or compromises your security against an asset, the threat is realized. The entity that takes advantage of the vulnerability is known as the malicious actor, and the path 1 used by this actor to perform the attack is known as the threat agent or threat vector. What Is a Vulnerability? A vulnerability is a weakness in the system design, implementation, software, or code, or the lack of a mechanism. A specific vulnerability might manifest as anything from a weakness in system design to the implementation of an operational procedure. The correct implementa- tion of safeguards and security countermeasures could mitigate a vulnerability and reduce the risk of exploitation. Vulnerabilities and weaknesses are common, mainly because there isn’t any perfect software or code in existence. Some vulnerabilities have limited impact and are easily mitigated; how- ever, many have broader implications. Vulnerabilities can be found in each of the following: Applications: Software and applications come with tons of functionality. Applications might be configured for usability rather than for security. Applications might need a patch or update that may or may not be available. Attackers targeting applications have a target-rich environment to examine. Just think of all the applications running on your home or work computer. Operating systems: Operating system software is loaded on workstations and serv- ers. Attackers can search for vulnerabilities in operating systems that have not been patched or updated. Hardware: Vulnerabilities can also be found in hardware. Mitigation of a hardware vulnerability might require patches to microcode (firmware) as well as the operat- ing system or other system software. Good examples of historical and well-known hardware-based vulnerabilities are Spectre and Meltdown. These vulnerabilities take advantage of a feature called “speculative execution” common to most modern proces- sor architectures. Speculative execution is used to optimize the performance of mod- ern CPUs. Speculative execution allows the CPU to predict what code it will need to execute in the future and pre-fetch that code into the CPU’s cache. This capability can improve performance by reducing the amount of time the CPU spends waiting for data from memory. However, Spectre and Meltdown use this feature to exploit a flaw that allows an attacker to access sensitive data that should be protected by the operating system’s security measures. Spectre can be used to trick programs into leaking their own data, while Meltdown can be used to bypass the memory isolation between a program and the operating system, allowing an attacker to access sensitive data such as passwords or encryption keys. Misconfiguration: The configuration file and configuration setup for the device or software may be misconfigured or may be deployed in an unsecure state. This might be open ports, vulnerable services, or misconfigured network devices. Just consider wireless networking. Can you detect any wireless devices in your neighborhood that have encryption turned off? From the Library of William Timothy Ray Murray 10 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Shrinkwrap software: This is the application or executable file that is run on a workstation or server. When installed on a device, it can have tons of functionality or sample scripts or code available. Vendors, security researchers, and vulnerability coordination centers typically assign vulner- abilities an identifier that’s disclosed to the public. This identifier is known as the Common Vulnerabilities and Exposures (CVE). CVE is an industry-wide standard. CVE is sponsored by US-CERT, the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Operating as DHS’s Federally Funded Research and Development Center (FFRDC), MITRE has copyrighted the CVE list for the benefit of the community in order to ensure it remains a free and open standard, as well as to legally protect the ongoing use of it and any resulting content by government, vendors, and/or users. MITRE maintains the CVE list and its public website, manages the CVE Compatibility Program, oversees the CVE Naming Authorities (CNAs), and provides impartial technical guidance to the CVE Editorial Board throughout the process to ensure CVE serves the public interest. The goal of CVE is to make it easier to share data across tools, vulnerability repositories, and security services. More information about CVE is available at http://cve.mitre.org. What Is an Exploit? An exploit refers to a piece of software, a tool, a technique, or a process that takes advan- tage of a vulnerability that leads to access, privilege escalation, loss of integrity, or denial of service on a computer system. Exploits are dangerous because all software has vulnerabili- ties; hackers and perpetrators know that there are vulnerabilities and seek to take advantage of them. Although most organizations attempt to find and fix vulnerabilities, some organiza- tions lack sufficient funds for securing their networks. Sometimes no one may even know the vulnerability exists, and it is exploited. That is known as a zero-day exploit. Even when you do know there is a problem, you are burdened with the fact that a window exists between when a vulnerability is disclosed and when a patch is available to prevent the exploit. The more critical the server, the slower it is usually patched. Management might be afraid of interrupting the server or afraid that the patch might affect stability or performance. Finally, the time required to deploy and install the software patch on production servers and work- stations exposes an organization’s IT infrastructure to an additional period of risk. There are several places where people trade exploits for malicious intent. The most prevalent is the “dark web.” The dark web (or darknet) is an overlay of networks and systems that use the Internet but require specific software and configurations to access it. The dark web is just a small part of the “deep web.” The deep web is a collection of information and systems on the Internet that is not indexed by web search engines. Often people incorrectly confuse the term deep web with dark web. Not all exploits are shared for malicious intent. For example, many security researchers share proof-of-concept (POC) exploits in public sites such as The Exploit Database (or Exploit-DB) and GitHub. The Exploit Database is a site maintained by Offensive Security where security researchers and other individuals post exploits for known vulnerabilities. The Exploit Data- base can be accessed at https://www.exploit-db.com. Figure 1-1 shows different publicly available exploits in the Exploit Database. From the Library of William Timothy Ray Murray Chapter 1: Cybersecurity Fundamentals 11 There is a command-line tool called searchsploit that allows you to download a copy of the Exploit Database so that you can use it on the go. Figure 1-2 shows an example of how you 1 can use searchsploit to search for specific exploits. In the example illustrated in Figure 1-2, searchsploit is used to search for exploits related to SMB vulnerabilities. Figure 1-1 The Exploit Database (Exploit-DB) Figure 1-2 Using Searchsploit From the Library of William Timothy Ray Murray 12 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Risk, Assets, Threats, and Vulnerabilities As with any new technology topic, to better understand the security field, you must learn the terminology that is used. To be a security professional, you need to understand the rela- tionship between risk, threats, assets, and vulnerabilities. Risk is the probability or likelihood of the occurrence or realization of a threat. There are three basic elements of risk: assets, threats, and vulnerabilities. To deal with risk, the U.S. federal government has adopted a risk management framework (RMF). The RMF process is based on the key concepts of mission- and risk-based, cost-effective, and enterprise infor- mation system security. NIST Special Publication 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems,” transforms the traditional Cer- tification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). Let’s look at the various components associated with risk, which include assets, threats, and vulnerabilities. An asset is any item of economic value owned by an individual or corporation. Assets can be real—such as routers, servers, hard drives, and laptops—or assets can be virtual, such as formulas, databases, spreadsheets, trade secrets, and processing time. Regardless of the type of asset discussed, if the asset is lost, damaged, or compromised, there can be an economic cost to the organization. NOTE No organization can ever be 100 percent secure. There will always be some risk left over. This is known as residual risk, which is the amount of risk left after safeguards and controls have been put in place to protect the asset. A threat sets the stage for risk and is any agent, condition, or circumstance that could poten- tially cause harm, loss, or damage, or compromise an IT asset or data asset. From a security professional’s perspective, threats can be categorized as events that can affect the confidenti- ality, integrity, or availability of the organization’s assets. These threats can result in destruc- tion, disclosure, modification, corruption of data, or denial of service. Examples of the types of threats an organization can face include the following: Natural disasters, weather, and catastrophic damage: Hurricanes, storms, weather outages, fire, flood, earthquakes, and other natural events compose an ongoing threat. Threat actor attacks: An insider or outsider who is unauthorized and purposely attacks an organization’s infrastructure, components, systems, or data. Cyberattacks against critical infrastructure: Attacks that target critical national infrastructures such as water plants, electric plants, gas plants, oil refineries, gasoline refineries, nuclear power plants, waste management plants, and so on. Stuxnet is an example of one such tool designed for just such a purpose. You can obtain detailed information about Stuxnet and other examples of exploits used by real-life threat actors at https://attack.mitre.org/software/S0603/. Viruses and malware: An entire category of software tools that are malicious and are designed to damage or destroy a system or data. Disclosure of confidential information: Anytime a disclosure of confidential infor- mation occurs, it can be a critical threat to an organization if such disclosure causes From the Library of William Timothy Ray Murray Chapter 1: Cybersecurity Fundamentals 13 loss of revenue, causes potential liabilities, or provides a competitive advantage to an adversary. For instance, if your organization experiences a breach and detailed custom- 1 er information is exposed (for example, personally identifiable information [PII]), such a breach could have potential liabilities and loss of trust from your customers. Another example is when a threat actor steals source code or design documents and sells them to your competitors. Denial of service (DoS) or distributed DoS (DDoS) attacks: An attack against avail- ability that is designed to bring the network, or access to a particular TCP/IP host/ server, to its knees by flooding it with useless traffic. Today, most DoS attacks are launched via botnets, whereas in the past tools such as the Ping of Death or Teardrop may have been used. Like malware, hackers constantly develop new tools so that Storm and Mariposa, for example, are replaced with other, more current threats. NOTE If the organization is vulnerable to any of these threats, there is an increased risk of a successful attack. Defining Threat Actors Threat actors are the individuals (or group of individuals) who perform an attack or are responsible for a security incident that impacts or has the potential of impacting an organi- zation or individual. There are several types of threat actors: Script kiddies: People who use existing “scripts” or tools to hack into computers and networks. They lack the expertise to write their own scripts. Organized crime groups: Their main purpose is to steal information, scam people, and make money. State sponsors and governments: These agents are interested in stealing data, including intellectual property and research-and-development data from major manufacturers, gov- ernment agencies, and defense contractors. Hacktivists: People who carry out cybersecurity attacks aimed at promoting a social or political cause. Terrorist groups: These groups are motivated by political or religious beliefs. Originally, the term hacker was used for computer enthusiasts. A hacker was a person who enjoyed understanding the internal workings of a system, computer, and computer network and who would continue to hack until he understood everything about the system. Over time, the popular press began to describe hackers as individuals who broke into comput- ers with malicious intent. The industry responded by developing the word cracker, which is short for a criminal hacker. The term cracker was developed to describe individuals who seek to compromise the security of a system without permission from an authorized party. With all this confusion over how to distinguish the good guys from the bad guys, the term ethical hacker was coined. An ethical hacker is an individual who performs security tests and other vulnerability-assessment activities to help organizations secure their infrastruc- tures. Sometimes ethical hackers are referred to as white hat hackers. From the Library of William Timothy Ray Murray 14 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Hacker motives and intentions vary. Some hackers are strictly legitimate, whereas others routinely break the law. Let’s look at some common categories: White hat hackers: These individuals perform ethical hacking to help secure compa- nies and organizations. Their belief is that you must examine your network in the same manner as a criminal hacker to better understand its vulnerabilities. Black hat hackers: These individuals perform illegal activities, such as organized crime. Gray hat hackers: These individuals usually follow the law but sometimes venture over to the darker side of black hat hacking. It would be unethical to employ these individuals to perform security duties for your organization because you are never quite clear where they stand. Understanding What Threat Intelligence Is Threat intelligence is referred to as the knowledge about an existing or emerging threat to assets, including networks and systems. Threat intelligence includes context, mechanisms, indicators of compromise (IoCs), implications, and actionable advice. Threat intelligence is referred to as the information about the observables, indicators of compromise (IoCs) intent, and capabilities of internal and external threat actors and their attacks. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence’s primary purpose is to inform business decisions regarding the risks and impli- cations associated with threats. Converting these definitions into common language could translate to threat intelligence being evidence-based knowledge of the capabilities of internal and external threat actors. This type of data can be beneficial for the security operations center (SOC) of any organiza- tion. Threat intelligence extends cybersecurity awareness beyond the internal network by consuming intelligence from other sources Internet-wide related to possible threats to you or your organization. For instance, you can learn about threats that have impacted different external organizations. Subsequently, you can proactively prepare rather than react once the threat is seen against your network. Providing an enrichment data feed is one service that threat intelligence platforms would typically provide. Figure 1-3 shows a five-step threat intelligence process for evaluating threat intelligence sources and information. Planning and Analysis and Dissemination Collection Processing Direction Production Figure 1-3 The Threat Intelligence Process Many different threat intelligence platforms and services are available in the market nowa- days. Cyber threat intelligence focuses on providing actionable information on adversaries, including IoCs. Threat intelligence feeds help you prioritize signals from internal systems against unknown threats. Cyber threat intelligence allows you to bring more focus to From the Library of William Timothy Ray Murray Chapter 1: Cybersecurity Fundamentals 15 cybersecurity investigation because instead of blindly looking for “new” and “abnormal” events, you can search for specific IoCs, IP addresses, URLs, or exploit patterns. 1 A number of standards are being developed for disseminating threat intelligence information. The following are a few examples: Structured Threat Information eXpression (STIX): An express language designed for sharing of cyber-attack information. STIX details can contain data such as the IP addresses or domain names of command-and-control servers (often referred to C2 or CnC), malware hashes, and so on. STIX was originally developed by MITRE and is now maintained by OASIS. You can obtain more information at http://stixproject. github.io. Trusted Automated eXchange of Indicator Information (TAXII): An open transport mechanism that standardizes the automated exchange of cyber-threat information. TAXII was originally developed by MITRE and is now maintained by OASIS. You can obtain more information at http://taxiiproject.github.io. Open Indicators of Compromise (OpenIOC): An open framework for sharing threat intelligence in a machine-digestible format. Learn more at http://www.openioc.org. Open Command and Control (OpenC2): A language for the command and control of cyber-defense technologies. OpenC2 Forum was a community of cybersecurity stake- holders that was facilitated by the U.S. National Security Agency. OpenC2 is now an OASIS technical committee (TC) and specification. You can obtain more information at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=openc2. NOTE The Common Security Advisory Framework (CSAF) is a standardized framework that provides a way for organizations to share security vulnerability information. Although it is not a threat-intelligence standard, it can be used to improve communication and collabora- tion among different organizations by providing a common language and format for sharing security vulnerability information. CSAF is designed to be flexible and adaptable to differ- ent types of organizations and security threats. It supports the Vulnerability Exploitability eXchange (VEX), which is used by government agencies, private companies, and other orga- nizations to share real-time information about the status of a security vulnerability. You can obtain more information about CSAF and VEX at https://csaf.io. It should be noted that many open-source and non-security-focused sources can be lever- aged for threat intelligence as well. Some examples of these sources are social media, forums, blogs, and vendor websites. From the Library of William Timothy Ray Murray 16 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide TIP The following GitHub repository includes thousands of references and resources related to threat intelligence, threat hunting, ethical hacking, penetration testing, digital forensics, incident response, vulnerability research, exploit development, reverse engineering, and more: https://hackerrepo.org You will learn more about these resources throughout this book. Viruses and Worms One thing that makes viruses unique is that a virus typically needs a host program or file to infect. Viruses require some type of human interaction. A worm can travel from system to system without human interaction. When a worm executes, it can replicate again and infect even more systems. For example, a worm can email itself to everyone in your address book and then repeat this process again and again from each user’s computer it infects. That mas- sive amount of traffic can lead to a denial of service very quickly. Spyware is closely related to viruses and worms. Spyware is considered another type of malicious software. In many ways, spyware is similar to a Trojan because most users don’t know that the program has been installed, and the program hides itself in an obscure loca- tion. Spyware steals information from the user and also eats up bandwidth. If that’s not enough, spyware can also redirect your web traffic and flood you with annoying pop-ups. Many users view spyware as another type of virus. This section covers a brief history of computer viruses, common types of viruses, and some of the most well-known virus attacks. Also, some tools used to create viruses and the best methods of prevention are discussed. Types and Transmission Methods Although viruses have a history that dates back to the 1980s, their means of infection has changed over the years. Viruses depend on people to spread them. Viruses require human activity, such as booting a computer, executing an autorun on digital media (for example, CD, DVD, USB sticks, external hard drives, and so on), or opening an email attachment. Mal- ware propagates through the computer world in several basic ways: Master boot record infection: This is the original method of attack. It works by attacking the master boot record of the hard drive. BIOS infection: This could completely make the system inoperable or the device could hang before passing Power On Self-Test (POST). File infection: This includes malware that relies on the user to execute the file. Extensions such as.com and.exe are usually used. Some form of social engineering is normally used to get the user to execute the program. Techniques include renaming the program or trying to mask the.exe extension and make it appear as a graphic (.jpg,.bmp,.png,.svg, and the like). Macro infection: Macro viruses exploit scripting services installed on your computer. Manipulating and using macros in Microsoft Excel, Microsoft Word, and Microsoft PowerPoint documents have been very popular in the past. From the Library of William Timothy Ray Murray Chapter 1: Cybersecurity Fundamentals 17 Cluster: This type of virus can modify directory table entries so that it points a user or system process to the malware and not the actual program. 1 Multipartite: This style of virus can use more than one propagation method and tar- gets both the boot sector and program files. One example is the NATAS (Satan spelled backward) virus. NOTE Know the primary types of malware attack mechanisms: master boot record, file infector, macro infector, and others listed previously. After your computer is infected, the malware can do any number of things. Some spread quickly. This type of virus is known as a fast infection. Fast-infection viruses infect any file that they are capable of infecting. Others limit the rate of infection. This type of activity is known as sparse infection. Sparse infection means that the virus takes its time in infect- ing other files or spreading its damage. This technique is used to try to help the virus avoid detection. Some viruses forgo a life of living exclusively in files and load themselves into RAM, which is the only way that boot sector viruses can spread. As the antivirus and security companies have developed better ways to detect malware, malware authors have fought back by trying to develop malware that is harder to detect. For example, in 2012, Flame was believed to be the most sophisticated malware to date. Flame has the ability to spread to other systems over a local network. It can record audio, screen- shots, and keyboard activity, and it can turn infected computers into Bluetooth beacons that attempt to download contact information from nearby Bluetooth-enabled devices. Another technique that malware developers have attempted is polymorphism. A polymorphic virus can change its signature every time it replicates and infects a new file. This technique makes it much harder for the antivirus program to detect it. One of the biggest changes is that mal- ware creators don’t massively spread viruses and other malware the way they used to. Much of the malware today is written for a specific target. By limiting the spread of the malware and targeting only a few victims, malware developers make finding out about the malware and creating a signature to detect it much harder for antivirus companies. When is a virus not a virus? When is the virus just a hoax? A virus hoax is nothing more than a chain letter, meme, or email that encourages you to forward it to your friends to warn them of impending doom or some other notable event. To convince readers to forward the hoax, the email will contain some official-sounding information that could be mistaken as valid. Malware Payloads Malware must place their payload somewhere. They can always overwrite a portion of the infected file, but to do so would destroy it. Most malware writers want to avoid detection for as long as possible and might not have written the program to immediately destroy files. One way the malware writer can accomplish this is to place the malware code either at the beginning or the end of the infected file. Malware known as a prepender infects programs by placing its viral code at the beginning of the infected file, whereas an appender places its code at the end of the infected file. Both techniques leave the file intact, with the malicious code added to the beginning or the end of the file. From the Library of William Timothy Ray Murray 18 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide No matter the infection technique, all viruses have some basic common components, as detailed in the following list. For example, all viruses have a search routine and an infection routine. Search routine: The search routine is responsible for locating new files, disk space, or RAM to infect. The search routine could include “profiling.” Profiling could be used to identify the environment and morph the malware to be more effective and potentially bypass detection. Infection routine: The search routine is useless if the virus doesn’t have a way to take advantage of these findings. Therefore, the second component of a virus is an infection routine. This portion of the virus is responsible for copying the virus and attaching it to a suitable host. Malware could also use a re-infect/restart routine to further compromise the affected system. Payload: Most viruses don’t stop here and also contain a payload. The purpose of the payload routine might be to erase the hard drive, display a message to the monitor, or possibly send the virus to 50 people in your address book. Payloads are not required, and without one, many people might never know that the virus even existed. Antidetection routine: Many viruses might also have an antidetection routine. Its goal is to help make the virus more stealth-like and avoid detection. Trigger routine: The goal of the trigger routine is to launch the payload at a given date and time. The trigger can be set to perform a given action at a given time. Trojans Trojans are programs that pretend to do one thing but, when loaded, actually perform another, more malicious act. Trojans gain their name from Homer’s epic tale The Iliad. To defeat their enemy, the Greeks built a giant wooden horse with a trapdoor in its belly. The Greeks tricked the Trojans into bringing the large wooden horse into the fortified city of Troy. However, unknown to the Trojans and under cover of darkness, the Greeks crawled out of the wooden horse, opened the city’s gate, and allowed the waiting soldiers into the city. A software Trojan horse is based on this same concept. A user might think that a file looks harmless and is safe to run, but after the file is executed, it delivers a malicious payload. Tro- jans work because they typically present themselves as something you want, such as an email with a PDF, a Word document, or an Excel spreadsheet. Trojans work hard to hide their true purposes. The spoofed email might look like it’s from HR, and the attached file might pur- port to be a list of pending layoffs. The payload is executed if the attacker can get the victim to open the file or click the attachment. That payload might allow a hacker remote access to your system, start a keystroke logger to record your every keystroke, plant a backdoor on your system, cause a denial of service (DoS), or even disable your antivirus protection or software firewall. Unlike a virus or worm, Trojans cannot spread themselves. They rely on the uninformed user. Trojan Types A few Trojan categories are command-shell Trojans, graphical user interface (GUI) Trojans, HTTP/HTTPS Trojans, document Trojans, defacement Trojans, botnet Trojans, Virtual From the Library of William Timothy Ray Murray Chapter 1: Cybersecurity Fundamentals 19 Network Computing (VNC) Trojans, remote-access Trojans, data-hiding Trojans, banking Trojans, DoS Trojans, FTP Trojans, software-disabling Trojans, and covert-channel Trojans. In 1 reality, it’s hard to place some Trojans into a single type because many have more than one function. To better understand what Trojans can do, refer to the following list, which outlines a few of these types: Remote access: Remote-access Trojans (RATs) allow the attacker full control over the system. Poison Ivy is an example of this type of Trojan. Remote-access Trojans are usually set up as client/server programs so that the attacker can connect to the infect- ed system and control it remotely. Data hiding: The idea behind this type of Trojan is to hide a user’s data. This type of malware is also sometimes known as ransomware. This type of Trojan restricts access to the computer system that it infects, and it demands a ransom paid to the creator of the malware for the restriction to be removed. E-banking: These Trojans (Zeus is one such example) intercept and use a victim’s bank- ing information for financial gain. Usually, they function as a transaction authorization number (TAN) grabber, use HTML injection, or act as a form grabber. The sole pur- pose of these types of programs is financial gain. Denial of service (DoS): These Trojans are designed to cause a DoS. They can be designed to knock out a specific service or to bring an entire system offline. Proxy: These Trojans are designed to work as proxy programs that help a hacker hide and allow him to perform activities from the victim’s computer, not his own. After all, the farther away the hacker is from the crime, the harder it becomes to trace him. FTP: These Trojans are specifically designed to work on port 21. They allow the hack- er or others to upload, download, or move files at will on the victim’s machine. Security-software disablers: These Trojans are designed to attack and kill antivirus or software firewalls. The goal of disabling these programs is to make it easier for the hacker to control the system. Trojan Ports and Communication Methods Trojans can communicate in several ways. Some use overt communications. These programs make no attempt to hide the transmission of data as it is moved on to or off of the victim’s computer. Most use covert communication channels. This means that the hacker goes to lengths to hide the transmission of data to and from the victim. Many Trojans that open covert channels also function as backdoors. A backdoor is any type of program that will allow a hacker to connect to a computer without going through the normal authentication process. If a hacker can get a backdoor program loaded on an internal device, the hacker can then come and go at will. Some of the programs spawn a connection on the victim’s com- puter connecting out to the hacker. The danger of this type of attack is the traffic moving from the inside out, which means from inside the organization to the outside Internet. This is usually the least restrictive because companies are usually more concerned about what comes in the network than they are about what leaves the network. From the Library of William Timothy Ray Murray 20 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide TIP One way an attacker can spread a Trojan is through a poison apple attack or USB key drop. Using this technique, the attacker leaves a thumb drive (USB stick) in the desk drawer of the victim or maybe in the cafeteria of the targeted company, perhaps in a key chain along with some keys and a photo of a cat to introduce a personal touch. The attacker then waits for someone to find it, insert it in the computer, and start clicking on files to see what’s there. Instead of just one bite of the apple, it’s just one click, and the damage is done! Trojan Goals Not all Trojans were designed for the same purpose. Some are destructive and can destroy computer systems, whereas others seek only to steal specific pieces of information. Although not all of them make their presence known, Trojans are still dangerous because they repre- sent a loss of confidentiality, integrity, and availability. Common targets of Trojans include the following: Credit card data: Credit card data and banking information have become huge targets. After the hacker has this information, he can go on an online shopping spree or use the card to purchase services, such as domain name registration. Electronic or digital wallets: Individuals can use an electronic device or online service that allows them to make electronic transactions. This includes buying goods online or using a smartphone to purchase something at a store. A digital wallet can also be a cryptocurrency wallet (such as Bitcoin, Ethereum, Litecoin, Ripple, and so on). Passwords: Passwords are always a big target. Many of us are guilty of password reuse. Even if we are not, there is always the danger that a hacker can extract email passwords or other online account passwords. Insider information: We have all had those moments in which we have said, “If only I had known this beforehand.” That’s what insider information is about. It can give the hacker critical information before it is made public or released. Data storage: The goal of the Trojan might be nothing more than to use your system for storage space. That data could be movies, music, illegal software (warez), or even pornography. Advanced persistent threat (APT): It could be that the hacker has targeted you as part of a nation-state attack or your company has been targeted because of its sensitive data. These attackers might spend significant time and expense to gain access to criti- cal and sensitive resources. You can obtain information about numerous APT threat actors, as well as the tactics and techniques used, at the MITRE ATT&CK framework at https://attack.mitre.org/groups. From the Library of William Timothy Ray Murray Chapter 1: Cybersecurity Fundamentals 21 TIP The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a 1 knowledge base that provides a comprehensive framework for understanding the actions and behaviors of real-life attackers during the different stages of an attack. It is widely used in the cybersecurity community and is maintained by MITRE Corporation. MITRE ATT&CK covers a wide range of threat actor tactics, techniques, and procedures (TTPs) across dif- ferent platforms, such as Windows, macOS, Linux, network infrastructure, mobile devices, IoT, and cloud environments. The framework is organized into matrices that group these TTPs based on the targeted platform. Each TTP is described in detail, providing insights into how adversaries operate, which helps cybersecurity experts, ethical hackers, and incident responders to better understand and respond to cyber threats effectively. The MITRE ATT&CK framework is continually updated to reflect the evolving threat landscape, making it a valuable resource for the cybersecurity community to enhance threat intelligence, detection, and response capabilities. You can access ATT&CK at https://attack.mitre.org. Trojan Infection Mechanisms After a hacker has written a Trojan, he will still need to spread it. The Internet has made this much easier than it used to be. There are a variety of ways to spread malware, including the following: Peer-to-peer networks (P2P): Although users might think that they are getting the latest copy of a computer game or the Microsoft Office package, in reality, they might be getting much more. P2P networks and file-sharing sites such as The Pirate Bay are generally unmonitored and allow anyone to spread any programs they want, legitimate or not. Instant messaging (IM): IM was not built with security controls. So, you never know the real contents of a file or program that someone has sent you. IM users are at great risk of becoming targets for Trojans and other types of malware. Many popular IM platforms, such as WhatsApp, Facebook Messenger, and Discord, have been used by scammers and attackers. These threat actors have been able to send malicious files and payloads to exploit vulnerabilities and compromise user data. Internet Relay Chat (IRC): IRC is full of individuals ready to attack the newbies who are enticed into downloading a free program or application. Email attachments: Attachments are another common way to spread a Trojan. To get you to open them, these hackers might disguise the message to appear to be from a legitimate organization. The message might also offer you a valuable prize, a desired piece of software, or similar enticement to pique your interest. If you feel that you must investigate these attachments, save them first and then run an antivirus on them. Email attachments are the number-one means of malware propagation. You might investigate them as part of your information security job to protect network users. Physical access: If a hacker has physical access to a victim’s system, he can just copy the Trojan horse to the hard drive (via a thumb drive). The hacker can even take the attack to the next level by creating a Trojan that is unique to the system or network. It might be a fake login screen that looks like the real one or even a fake database. From the Library of William Timothy Ray Murray 22 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Browser and browser extension vulnerabilities: Many users don’t update their brows- ers as soon as updates are released. Web browsers often treat the content they receive as trusted. The truth is that nothing in a web page can be trusted to follow any guide- lines. A website can send to your browser data that exploits a bug in a browser, vio- lates computer security, and might load a Trojan. SMS messages: SMS messages have been used by attackers to propagate malware to mobile devices and to perform other scams. Impersonated mobile apps: Attackers can impersonate apps in mobile stores (for example, Google Play or Apple Store) to infect users. Attackers can perform visual impersonation to intentionally misrepresent apps in the eyes of the user. Attackers can do this to repackage the application and republish the app to the marketplace under a different author. This tactic has been used by attackers to take a paid app and republish it to the marketplace for less than its original price. However, in the context of mobile malware, the attacker uses similar tactics to distribute a malicious app to a wider user audience while minimizing the invested effort. If the attacker repackages a popular app and appends malware to it, the attacker can leverage the user’s trust of their favorite apps and successfully compromise the mobile device. Watering hole: The idea is to infect a website the attacker knows the victim will visit. Then the attacker simply waits for the victim to visit the watering hole site so the system can become infected. Freeware: Nothing in life is free, and that includes most software. Users are taking a big risk when they download freeware from an unknown source. Not only might the freeware contain a Trojan, but freeware also has become a favorite target for adware and spyware. TIP Be sure that you understand that email is one of the most widely used forms of malware propagation. Effects of Trojans The effects of Trojans can range from benign to the extreme. Individuals whose systems become infected might never even know; most of the creators of this category of malware don’t want to be detected, so they go to great lengths to hide their activity and keep their actions hidden. After all, their goal is typically to “own the box.” If the victim becomes aware of the Trojan’s presence, the victim will take countermeasures that threaten the attacker’s ability to keep control of the computer. In some cases, programs seemingly open by themselves or the web browser opens pages the user didn’t request. However, because the hacker is in control of the computer, he can change its background, reboot the systems, or capture everything the victim types on the keyboard. Distributing Malware Technology changes, and that includes malware distribution. The fact is that malware detec- tion is much more difficult today than in the past. Today, it is not uncommon for attackers to use multiple layers of techniques to obfuscate code, make malicious code undetectable from antivirus, and employ encryption to prevent others from examining malware. The result is From the Library of William Timothy Ray Murray Chapter 1: Cybersecurity Fundamentals 23 that modern malware improves the attackers’ chances of compromising a computer without being detected. These techniques include wrappers, packers, droppers, and crypters. 1 Wrappers offer hackers a method to slip past a user’s normal defenses. A wrapper is a pro- gram used to combine two or more executables into a single packaged program. Wrappers are also referred to as binders, packagers, and EXE binders because they are the functional equivalent of binders for Windows Portable Executable files. Some wrappers only allow pro- grams to be joined; others allow the binding together of three, four, five, or more programs. Basically, these programs perform like installation builders and setup programs. Besides allowing you to bind a program, wrappers add additional layers of obfuscation and encryp- tion around the target file, essentially creating a new executable file. Packers are similar to programs such as WinZip, Rar, and Tar because they compress files. However, whereas compression programs compress files to save space, packers do this to obfuscate the activity of the malware. The idea is to prevent anyone from viewing the mal- ware’s code until it is placed in memory. Packers serve a second valuable goal to the attacker in that they work to bypass network security protection mechanisms, such as host- and network-based intrusion detection systems. The malware packer will decompress the pro- gram only when in memory, revealing the program’s original code only when executed. This is yet another attempt to bypass antimalware detection. Droppers are software designed to install malware payloads on the victim’s system. Drop- pers try to avoid detection and evade security controls by using several methods to spread and install the malware payload. Crypters function to encrypt or obscure the code. Some crypters obscure the contents of the Trojan by applying an encryption algorithm. Crypters can use anything from AES, RSA, to even Blowfish, or might use more basic obfuscation techniques such as XOR, Base64 encoding, or even ROT13. Again, these techniques are used to conceal the contents of the executable program, making it undetectable by antivirus and resistant to reverse-engineering efforts. Ransomware Over the past few years, ransomware has been used by criminals making money out of their victims and by hacktivists and nation-state attackers causing disruption. Ransomware can propagate like a worm or a virus but is designed to encrypt personal files on the victim’s hard drive until a ransom is paid to the attacker. Ransomware has been around for many years but made a comeback in recent years. The following are several examples of popular ransomware:

Cisco CCNP Security Core - SCOR 350-701 Official Certification Guide PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue