Term
|
Definition
Most serious threat because...
- people already have knowledge of the network and available resources
- people already have some level of access granted to them because of their job
- traditional IPS and Firewall are ineffective against much misuse originating internally.
|
|
|
Term
|
Definition
More technical
- could perform ping sweep of network to identify IPs
- then use port scan to identify open services
- could then try to exploit known vulnerabilities for open services to gain access
many of these can be mitigated using network security tools and mechanisms |
|
|
Term
| 3 Primary Goals of Network Security |
|
Definition
- Confidentiality
- Integrity
- Availability
|
|
|
Term
|
Definition
keeping data private
physically or logically restricting access to sensitive data
- use Network Security mechanisms to prevent unauthorized access (Firewall and ACLs)
- Require appropriate credentials to access specific network resources (Authentication)
- encrypt traffic
|
|
|
Term
|
Definition
ensures data hasn't been modified
verifies that traffic originates from source that should be sending it
Violations include:
- modifying appearance of corporate website
- intercepting and altering an e-commerce transaction
- modifying financial records that are stored electronically
|
|
|
Term
|
Definition
measure of data's accessibility
Attempts to compromise the availability of network include:
- send improperly formatted data to a networked device, resulting in unhandled exception error
- flood a network system with excessive amount of traffic or requests (DoS)
|
|
|
Term
Government/Military Data Classification
Unclassified
|
|
Definition
| Data has few or no privacy requirements |
|
|
Term
Government/Military Data Classification
Sensitive but unclassified (SBU) |
|
Definition
| Data could cause embarrassment but not constitute a security threat if revealed |
|
|
Term
Government/Military Data Classification
Confidential |
|
Definition
| Data that has a reasonable probability of causing damage if disclosed to an unauthorized party |
|
|
Term
Government/Military Data Classification
Secret |
|
Definition
| Data has a reasonable probability of causing serious damage if disclosed to an unauthorized party |
|
|
Term
Government/Military Data Classification
Top-secret |
|
Definition
| Data has a reasonable probability of causing exceptionally grave damage if disclosed to an unauthorized party |
|
|
Term
Organizational Data Classification
Public |
|
Definition
Information made available to the public
(through marketing materials) |
|
|
Term
Organizational Data Classification
Sensitive |
|
Definition
| Data that could cause embarrassment but not constitute a security threat if revealed |
|
|
Term
Organizational Data Classification
Private |
|
Definition
| Organizational infromation that should be kept secret and whose accuracy should be maintained |
|
|
Term
Organizational Data Classification
Confidential |
|
Definition
| Sensitive organizational information (for example, employee records) that should be protected with great care |
|
|
Term
Data Classification Characteristics
Value |
|
Definition
| How valuable the data is to the organization |
|
|
Term
Data Classification Characteristics
Age |
|
Definition
|
|
Term
Data Classification Characteristics
Useful life |
|
Definition
| How long the data will be considered relevant |
|
|
Term
Data Classification Characteristics
Personal Association |
|
Definition
|
|
Term
Classification Roles
Owner |
|
Definition
-Initially determines the classification level
-Routinely reviews documented procedures for classifying data
-Gives the custodian the responsibility of protecting the data |
|
|
Term
Classification Roles
Custodian |
|
Definition
-Keeps up-to-date backups of classified data
-Verifies the integrity of the backups
-Restores data from backups on an as-needed basis
-Follows policy guidelines to maintain specific data |
|
|
Term
Classification Roles
User |
|
Definition
-Accesses and uses data in accordance with an established security policy
-Takes reasonable measures to protect the data he or she has access to
-Uses data for only organizational purposes |
|
|
Term
Security Solution Controls
Administrative Controls |
|
Definition
primarily policy-centric
Examples:
- Routine security awareness training programs
- Clearly defined security policies
- Change management system, which notifies parties of system changes
- Logging configuration changes
- Properly screening potential employees
|
|
|
Term
Security Solution Controls
Physical Controls |
|
Definition
help protect the data's environment and prevent potential attackes from readily having physical access to the data
Examples:
- Security systems to monitor for intruders
- Physical security barriers (i.e. locked doors)
- Climate protection systems, to maintain proper temp and humidity, in addition to alerting personnel in case of fire
- Security personnel to guard the data
|
|
|
Term
Security Solution Controls
Technical Controls |
|
Definition
variety of hardware and software technologies to protect data
Examples
- security appliances - Firewalls, IPSs, VPN termination
- Authorization applications - RADIUS or TACACS+ servers, one-time passwords, biometric security scanners
|
|
|
Term
|
Definition
| Attempts to prevent access to data or a system |
|
|
Term
|
Definition
| attempts to prevent a security incident by influencing the potential attacker not to launch an attack |
|
|
Term
|
Definition
| Can detect when access to data or a system occurs |
|
|
Term
Responding to Security Incident
Motive |
|
Definition
describes why the attacker committed the act
Example - could be a disgruntled employee?
Potential motives can be valuable to define during an investigation
Specifically an invesigation may start out by looking at those who had a motive to carry out the attack. |
|
|
Term
Responding to Security Incident
Means |
|
Definition
with all security controls in place to protect data or computer systems, need to determined if the accused had means to carry out the attack
Example
did the individuals have the technical skills |
|
|
Term
Responding to Security Incident
Opportunity |
|
Definition
was the accused available to commit the attack
|
|
|
Term
|
Definition
| applies to crimes that have been committed and that might result in fines and/or imprisonment for someone found guilty |
|
|
Term
|
Definition
addresses wrongs that have been committed; but wrongs are not considered criminal
Example
- civil litigation might involve patent infringement
|
|
|
Term
|
Definition
| typically involves the enforcement of regulations by government agencies |
|
|
Term
|
Definition
| weakness that an attacker might leverage to gain unauthorized access to the system or its data |
|
|
Term
|
Definition
| something used to take advantage of the vulnerability |
|
|
Term
|
Definition
has skills to break into computer systems and do damage
uses skills to help organizations |
|
|
Term
|
Definition
| also known as cracker uses skills for unethical reasons |
|
|
Term
|
Definition
| can be thought of as a white hat hacker who occasionally strays and acts unethically |
|
|
Term
|
Definition
hacker of a telecommunications system
Examples
- Captain Crunch used a toy whistle (which generated a 2600-Hz tone) to trick phone systems into letting him place free long distance calls
- Convincing a telecommunications carrier to permit free long distance calls in this manner is an example of phreaking
|
|
|
Term
|
Definition
user who lacks the skills of a typical hacker
downloads hacking utilities and uses those utilities to launch attacks, rather than writing own programs |
|
|
Term
|
Definition
hacker with political motivations
Example
- someone who defaces the website of a political candidate
|
|
|
Term
|
Definition
knowledgeable about the technical aspects of computer and network security systems
Example
- might attempt to attack a system protected by IPS by fragmenting malicious traffic in a way that would go undetected by the IPS
|
|
|
Term
|
Definition
typically is an employee or student at an institution of higher education. Uses institution's computing resources to write "clever" programs.
Typically these types use their real names and they tend to focus on open-standards-based software and operating systems |
|
|
Term
|
Definition
tends to focus on home computing
might modify exisiting hardware or software to use software without a legitimate license |
|
|
Term
|
Definition
difficult to detect because the attacker isn't actively sending traffic (malicious or otherwise)
Example
- attacker capturing packets from the network and attempting to decrypt them (if traffic was encrypted originally)
|
|
|
Term
|
Definition
easier to detect because the attacker is actively sending traffic (malicious and otherwise)
Example
- might launch an active attacke in an attempt to access classifed information or to modify data on a system
|
|
|
Term
|
Definition
occurs when the attacker is in close physical proximity with the target system
Example
- an attacker can bypass password protection on some routers, switches and servers if he gains physical access to those devices
|
|
|
Term
|
Definition
occurs when legitimate network users leverage their credentials and knowledge of the network in a malicious fashion
|
|
|
Term
|
Definition
Intentionally introduce back doors to hardware or software systems at the point of manufacture.
Example
- After systems have been distributed to a variety of customers, the attacker can use knowledge of the implanted back door to access protected data, manipulate data or make the target system unusable by legitimate users
|
|
|
Term
|
Definition
Design philosphy that achieves this layered security approach
should provide redundancy for one another while offering a variety of defense strategies for protecting multiple aspects of a network
single points of failure in a security solution should be eliminated, and weak links in the security solution should be strengthened |
|
|
Term
|
Definition
- Defend multiple attack targets in network -protect the network infrastructure -protect strategic computing resources, such as HIPS
- Create overlapping defenses - IDS and IPS
- Let the value of a protected resource dictate strength of security mechanism - deploy more resources to protect a network boundary as opposed to the resources to protect an end-user workstation
- Use strong encryption technologies
|
|
|
Term
|
Definition
- originator sends a SYN segment to the destination, along with a sequence number
- destination sends an acknowledgement (an ACK) of the originator's sequence number along with the destination's own sequence number (a SYN)
- orginator sends an ACK segment to acknowledge the destination's sequence number, after which the TCP communication channel is open between the originator and destination
|
|
|
Term
|
Definition
|
|
Term
|
Definition
| occurs when attacker and the destination are on the same subnet. By being on the same subnet, the attacker might be able to use a packet-capture utility to glean sequence numbers |
|
|
Term
|
Definition
occurs when attacker is not on the same subnet as the destination
obtaining correct sequence numbers is more difficult
Using techniques such as IP source routing, an attacker can accurately determine those sequence numbers |
|
|
Term
| Source routing variations |
|
Definition
|
|
Term
|
Definition
| attacker specifies a list of IP addresses through which a packet must travel. However, the packet could also travel through additional routers that interconnect IP addresses specifed in the list |
|
|
Term
|
Definition
| IP addresses in the list specified by the attacker are the only IP addresses through which a packet is allowed to travel |
|
|
Term
| Protect against IP Spoofing Attack |
|
Definition
Use access control lists on router interfaces
Encrypt traffic between devices via an IPsec tunnel
Use cryptographic authentication |
|
|
Term
Confidentiality Attack Strategies
Packet Capture |
|
Definition
Wireshark for example, can capture packets visible by a PC's NIC by replacing the NIC in promiscuous mode.
Some protocols (HTTP, Telnet) are sent in plain text; therefore, an attacker can read these types of captured packets, perhaps allowing him to see confidential information |
|
|
Term
Confidentiality Attack Strategies
Ping sweep and port scan |
|
Definition
confidentiality attack might start with a scan of network resources, to identify attack targets on a network. A ping sweep could be used to ping a series of IP addresses. As soon as a collection of IP addresses is identified, attacker might scan a range of UDP and/or TCP ports to see what services are available on the host at the specified IP address.
Port scans often help attackers identify the OS running on the target system |
|
|
Term
Confidentiality Attack Strategies
Dumpster diving |
|
Definition
| because many companies throw away confidential information without properly shredding it, some attackers might rummage through company dumpsters in hopes of discovering information that could be used to compromise network resources |
|
|
Term
Confidentiality Attack Strategies
Electromagnetic interference (EMI) interception |
|
Definition
data is often transmitted over wire (UTP wire) attackers can sometimes copy information traveling over the wire by intercepting EMI being emitted by the transmission medium.
EMI emissions are sometimes called emanations |
|
|
Term
Confidentiality Attack Strategies
Wiretapping |
|
Definition
if an attacker gains physical access to a wiring closet, they might be able to physically tap into telephone cabling to eavesdrop on telephone conversations
might also insert a shared media hub inline with a network cable. Could let him connect to the hub and receive copies of packets flowing through the network cable. |
|
|
Term
Confidentiality Attack Strategies
Social engineering |
|
Definition
| sometimes use social techniques to obtain confidential information |
|
|
Term
Confidentiality Attack Strategies
sending information over overt channels |
|
Definition
attacker might send or receive confidential information over a network using an overt channel.
Example
- using one protocol inside another (sending instant messaging traffic via HTTP)
- Steganography is sending a digital image made up of millions of pixels with secret information encoded in specific pixels. Only the sender and receiver know which pixels represent the encoded info
|
|
|
Term
Confidentiality Attack Strategies
Sending information over covert channels |
|
Definition
attacker might send or receive confidential information over a network using a covert channel, which can communicate information as a series of codes and/or events.
Example
- binary data could be represented by sending a series of pings to a destination - single ping within a certain period of time could represent binary 0 and two pings within that same period of time could represent binary 1
|
|
|
Term
Integrity Attacks
Salami Attack |
|
Definition
collection of small attacks that result in a larger attack when combined
Example
- if attacker had a collection of stolen credit card numbers, he could withdraw small amount of money from each credit card. Although each withdrawl is small, they add up to be a significant sum for attacker
|
|
|
Term
Integrity Attacks
Data Diddling |
|
Definition
changes data before it is stored in a computing system
malicious code in an input application or virus could perform data diddling.
Example
- a virus, Trojan horse, or worm could be written to intercept keyboard input. It would display the appropriate characters on-screen so that the user would not see a problem. Manipulated characters would be entered into a database app or sent over network
|
|
|
Term
Integrity Attacks
Trust relationship exploitation |
|
Definition
Certain hose might be trusted to communicate through a firewall using specific ports. If an attacker could compromise the host that had a trust relationship with the firewall, the attacker could use the compromised host to pass normally denied data through a firewall.
A web server and a database server mutually trusting one another. If attacker gained control of the web server, he might be able to leverage that trust relationship to compromise the database server. |
|
|
Term
Integrity Attacks
Password Attacks |
|
Definition
attempts to determine a user's password
as soon as username and password are gained, the attacker can attempt to log into a system as that user, and therefore inherit that user's set of permissions |
|
|
Term
Integrity Attacks - Password Attacks
Trojan horse |
|
Definition
| Program that appears to be a useful application captures the user's password and then makes it available to the attacker |
|
|
Term
Integrity Attacks - Password Attacks
Packet capture |
|
Definition
packet-capture utility can capture packets seen on a PCs NIC.
if the PC can see a copy of a plain-text password being sent over a link, the packet-capture utility can be used to glean the password |
|
|
Term
Integrity Attacks - Password Attacks
Keylogger |
|
Definition
program that runs in the background of a computer, logging the user's keystrokes
after a user enters a password, it is stored in the log created by the keylogger. An attacker then can retrieve the log of keystrokes to determine the user's password |
|
|
Term
Integrity Attacks - Password Attacks
Brute force |
|
Definition
tries all possible password combinations until a match is made.
Example
- brute-force attack might start with the letter a and go through the letter z
- then the letters aa through zz are attempted, until password is determined
Using mixture of uppercase and lowercase helps mitigate brute force |
|
|
Term
Integrity Attacks - Password Attacks
Dictionary Attack |
|
Definition
| similar to a brute-force attack, in that multiple password guesses are attempted; based on a dictionary of commonly used words, rather than brute-force |
|
|
Term
|
Definition
software robot typically is through of as an application on a machine that can be controlled remotely
if collection of computers is infected with such software robots, called bots, this collection of computers (zombies) is known as a botnet.
Because of the potentially large size of a botnet, it might comrpomise the integrity of a large amount of data |
|
|
Term
Integrity Attacks
Hijacking a session |
|
Definition
| if an attacker successfully hijacked a session of an authorized device, he might be able to maliciously manipulate data on the protected server |
|
|
Term
Availability Attacks
Denial of Service (DoS) |
|
Definition
attacker can launch a DoS attack on a system by sending the target system a flood of data or requests that consume the target system's resources
Alternatively, some OS and applications might crash when they receive specific strings of improperly formatted data, and the attacker could leverage such OS and/or app vulnerabilities to render a system or application inoperable.
Attacker often uses IP Spoofing to conceal his identity |
|
|
Term
Availability Attacks
Distributed denial of server (DDoS) |
|
Definition
can increase the amount of traffic flooded to a target system. Specifically, the attacker compromises multiple systems.
The attacker can instruct those compromised systems, called zombies, to simultaneously launch a DDoS attack against a target system |
|
|
Term
Availability Attacks
TCP SYN flood |
|
Definition
one variant of DoS attacks is for an attacker to initiate multiple TCP sessions by sending SYN segments but never completing the three-way handshake
can send multiple SYN segments to a target system, with false source IP addresses in the header
Because many servers limit the number of TCP sessions they can have open simultaneously, a SYN flood can render a target system incapable of opening a TCP session with a legitimate user |
|
|
Term
Availability Attacks
ICMP Attacks |
|
Definition
Many networks permit ICMP traffic because pings can be useful in network troubleshooting. Attackers can use ICMP for DoS attacks.
|
|
|
Term
Availability Attacks - ICMP Attacks
Ping of Death |
|
Definition
ICMP DoS attack uses ICMP packets that are too big
ICMP traffic as series of fragments in an attempt to overflow the fragment reassembly buffers on the target device |
|
|
Term
Availability Attacks - ICMP Attacks
Smurf Attack |
|
Definition
| can use ICMP traffic directed to a subnet to flood a target system with ping replies |
|
|
Term
Availability Attacks
Electrical disturbances |
|
Definition
at physical level - attacker could launch an attack by interrupting or interfering with the electrical service available to a system.
|
|
|
Term
Availability Attacks - Electrical disturbances
Power spike |
|
Definition
| excess power for a brief period of time |
|
|
Term
Availability Attacks - Electrical disturbances
Electrical surge |
|
Definition
| excess power for an extended period of time |
|
|
Term
Availability Attacks - Electrical disturbances
Power fault |
|
Definition
| a brief electrical outage |
|
|
Term
Availability Attacks - Electrical disturbances
Blackout |
|
Definition
| an extended electrical outage |
|
|
Term
Availability Attacks - Electrical disturbances
Power sag |
|
Definition
| a brief reduction in power |
|
|
Term
Availability Attacks - Electrical disturbances
Brownout |
|
Definition
| An extended reduction in power |
|
|
Term
Availability Attacks
Attacks on system's physical environment |
|
Definition
could intentionally damage computing equipment by influencing the equipment's physical environment
Example
- temperature - computing equipment generates heat, attacker could intefere with AC system, equipment could overheat
- Humidity - computing equipment is intolerant of moisture, attacker could create a high level of humidity
- Gas - can be flammable so attacker could inject gas, where small sparks could create fire
|
|
|
