CCNA EXPLORATION
ACCESSING THE WAN
Study Guide
Chapter 4: Network Security
4.0.1 / What is the most important step that an organization can take to protect its network? / The application of an effective security policy.4.1.1 / What balance must an organization find? / Today’s networks must balance the accessibility to network resources with the protection of sensitive data from theft.
As the types of threats, attacks, and exploits have evolved, various terms have been coined to describe the individuals involved. Describe some of the most common terms. / White hat-An individual who looks for vulnerabilities in systems or networks and then reports these vulnerabilities to the owners of the system so that they can be fixed. They are ethically opposed to the abuse of computer systems. A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them.
Hacker-A general term that has historically been used to describe a computer programming expert. More recently, this term is often used in a negative way to describe an individual that attempts to gain unauthorized access to network resources with malicious intent.
Black hat-Another term for individuals who use their knowledge of computer systems to break into systems or networks that they are not authorized to use, usually for personal or financial gain. A cracker is an example of a black hat.
Cracker-A more accurate term to describe someone who tries to gain unauthorized access to network resources with malicious intent.
Phreaker-An individual who manipulates the phone network to cause it to perform a function that is not allowed. A common goal of phreaking is breaking into the phone network, usually through a payphone, to make free long distance calls.
Spammer-An individual who sends large quantities of unsolicited e-mail messages. Spammers often use viruses to take control of home computers and use them to send out their bulk messages.
Phisher-Uses e-mail or other means to trick others into providing sensitive information, such as credit card numbers or passwords. A phisher masquerades as a trusted party that would have a legitimate need for the sensitive information.
Describe the seven-step process Hackers often use to gain information and start an attack. / Step 1. Perform footprint analysis (reconnaissance). A company webpage can lead to information, such as the IP addresses of servers. From there, an attacker can build a picture of the security profile or "footprint" of the company.
Step 2. Enumerate information. An attacker can expand on the footprint by monitoring network traffic with a packet sniffer such as Wireshark, finding information such as version numbers of FTP servers and mail servers. A cross-reference with vulnerability databases exposes the applications of the company to potential exploits.
Step 3. Manipulate users to gain access. Sometimes employees choose passwords that are easily crackable. In other instances, employees can be duped by talented attackers into giving up sensitive access-related information.
Step 4. Escalate privileges. After attackers gain basic access, they use their skills to increase their network privileges.
Step 5. Gather additional passwords and secrets. With improved access privileges, attackers use their talents to gain access to well-guarded, sensitive information.
Step 6. Install backdoors. Backdoors provide the attacker with a way to enter the system without being detected. The most common backdoor is an open listening TCP or UDP port.
Step 7. Leverage the compromised system. After a system is compromised, an attacker uses it to stage attacks on other hosts in the network.
What are some of the most commonly reported acts of computer crime that have network security implications? / Insider abuse of network access
Virus
Mobile device theft
Phishing where an organization is fraudulently represented as the sender
Instant messaging misuse
Denial of service
Unauthorized access to information
Bots within the organization
Theft of customer or employee data
Abuse of wireless network
System penetration
Financial fraud
Password sniffing
Key logging
Website defacement
Misuse of a public web application
Theft of proprietary information
Exploiting the DNS server of an organization
Telecom fraud
Sabotage
Describe Open, Restrictive, & Closed Networks. / Open – Permit everything that is not explicitly denied:
· Easy to configure & administer
· Easy for end users to access network resources
· Security cost is least expensive
Restrictive – Combination of specific permissions & specific restrictions:
· More difficult to configure & administer
· More difficult for end users to access network resources
· Security cost is more expensive
Closed – That which is not explicitly permitted is denied:
· Most difficult to configure & administer
· Most difficult for end users to access network resources
· Security cost is most expensive
What is the first step any organization should take to protect its data and itself from a liability challenge? / Develop a security policy.
What is a security policy? / RFC2196 states that a "security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide."
A security policy should meet what goals? / · Informs users, staff, and managers of their obligatory requirements for protecting technology and information assets
· Specifies the mechanisms through which these requirements can be met
· Provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the policy
What is ISO/IEC 27002? / The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have published a security standard document called ISO/IEC 27002. This document refers specifically to information technology and outlines a code of practice for information security management. It is intended to be a common basis and practical guideline for developing organizational security standards and effective security management practices.
What are the sections of ISO/IEC 27002 / Risk assessment
Security policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development, and maintenance
Information security incident management
Business continuity management
Compliance
4.1.2 / When discussing network security, what are the three common factors? / Vulnerability - the degree of weakness
Threats are the people interested and qualified in taking advantage of each security weakness.
Attacks - the threats use a variety of tools, scripts, and programs to launch attacks against networks and network devices.
What are the three primary vulnerabilities or weaknesses? / Technological weaknesses - These include TCP/IP protocol, operating system, and network equipment weaknesses.
Configuration weaknesses – These include unsecured user accounts, system accounts with easily guessed passwords, mis-configured internet services, unsecured default settings within products, & mis-configured network equipment.
Security policy weaknesses – These include lack of a written policy, politics within the organization, lack of authentication continuity, logical access controls not applied, software & hardware installation & changes do not follow policy, & no disaster recovery plan.
What are the four classes of physical threats? / Hardware threats-Physical damage to servers, routers, switches, cabling plant, and workstations
Environmental threats-Temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry)
Electrical threats-Voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss
Maintenance threats-Poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling
How might you mitigate Hardware threats? / Lock the wiring closet and only allow access to authorized personnel. Block access through any dropped ceiling, raised floor, window, ductwork, or point of entry other than the secured access point. Use electronic access control, and log all entry attempts. Monitor facilities with security cameras.
How might you mitigate Environmental threats? / Create a proper operating environment through temperature control, humidity control, positive air flow, remote environmental alarming, and recording and monitoring.
How might you mitigate Electrical threats? / Limit electrical supply problems by installing UPS systems and generator sets, following a preventative maintenance plan, installing redundant power supplies, and performing remote alarming and monitoring.
How might you mitigate Maintenance threats? / Use neat cable runs, label critical cables and components, use electrostatic discharge procedures, stock critical spares, and control access to console ports.
Describe Unstructured Threats. / Unstructured threats consist of mostly inexperienced individuals using easily available hacking tools, such as shell scripts and password crackers. Even unstructured threats that are only executed with the intent of testing an attacker's skills can do serious damage to a network.
Describe Structured Threats. / Structured threats come from individuals or groups that are more highly motivated and technically competent. These people know system vulnerabilities and use sophisticated hacking techniques to penetrate unsuspecting businesses. They break into business and government computers to commit fraud, destroy or alter records, or simply to create havoc. These groups are often involved with the major fraud and theft cases reported to law enforcement agencies. Their hacking is so complex and sophisticated that only specially trained investigators understand what is happening.
Describe External Threats. / External threats can arise from individuals or organizations working outside of a company who do not have authorized access to the computer systems or network. They work their way into a network mainly from the Internet or dialup access servers. External threats can vary in severity depending on the expertise of the attacker-either amateurish (unstructured) or expert (structured).
Describe Internal Threats. / Internal threats occur when someone has authorized access to the network with either an account or physical access. Just as for external threats, the severity of an internal threat depends on the expertise of the attacker.
Describe Social Engineering. / The easiest hack involves no computer skill at all. If an intruder can trick a member of an organization into giving over valuable information, such as the location of files or passwords, the process of hacking is made much easier. This type of attack is called social engineering.
Describe Phishing. / Phishing is a type of social engineering attack that involves using e-mail or other types of messages in an attempt to trick others into providing sensitive information, such as credit card numbers or passwords. The phisher masquerades as a trusted party that has a seemingly legitimate need for the sensitive information.
4.1.3 / Describe the four primary classes of network attacks. / Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. It is also known as information gathering and, in most cases, it precedes another type of attack.
System access is the ability for an intruder to gain access to a device for which the intruder does not have an account or a password. Entering or accessing systems usually involves running a hack, script, or tool that exploits a known vulnerability of the system or application being attacked.
Denial of service (DoS) is when an attacker disables or corrupts networks, systems, or services with the intent to deny services to intended users. DoS attacks involve either crashing the system or slowing it down to the point that it is unusable.
Worms, Viruses, and Trojan Horses - Malicious software can be inserted onto a host to damage or corrupt a system, replicate itself, or deny access to networks, systems, or services.
What are some possible reconnaissance attacks? / Internet information queries
Ping sweeps
Port scans
Packet sniffers
What are some of the utilities external hackers can use to easily determine the IP address space assigned to a given corporation or entity? / Internet tools, such as the nslookup and whois utilities
What is a ping sweep? / Situation in which a hacker uses a tool, such as fping or gping, to systematically ping all network addresses in a given range or subnet.
How does the intruder use port scans? / When the active IP addresses are identified, he/she can use a port scanner to determine which network services or ports are active on the live IP addresses. A port scanner is software, such as Nmap or Superscan, which is designed to search a network host for open ports. The port scanner queries the ports to determine the application type and version, as well as the type and version of operating system (OS) running on the target host. Based on this information, the intruder can determine if a possible vulnerability that can be exploited exists.
What are some common terms for eavesdropping? / Network snooping and packet sniffing
Describe Two common uses of eavesdropping. / Information gathering-Network intruders can identify usernames, passwords, or information carried in a packet.
Information theft-The theft can occur as data is transmitted over the internal or external network. The network intruder can also steal data from networked computers by gaining unauthorized access. Examples include breaking into or eavesdropping on financial institutions and obtaining credit card numbers.
Why is SNMP version 1 community strings susceptible to eavesdropping? / They are sent in clear text. SNMP is a management protocol that provides a means for network devices to collect information about their status and to send it to an administrator. An intruder could eavesdrop on SNMP queries and gather valuable data on network equipment configuration.
How would an intruder use a protocol analyzer? / A common method for eavesdropping on communications is to capture TCP/IP or other protocol packets and decode the contents using a protocol analyzer or similar utility. An example of such a program is Wireshark, which you have been using extensively throughout the Exploration courses. After packets are captured, they can be examined for vulnerable information.
What are three of the most effective methods for counteracting eavesdropping? / · Using switched networks instead of hubs so that traffic is not broadcast to all endpoints or network hosts.
· Using encryption that meets the data security needs of the organization without imposing an excessive burden on system resources or users.
· Implementing and enforcing a policy directive that forbids the use of protocols with known susceptibilities to eavesdropping. For example, SNMP version 3 can encrypt community strings, so a company could forbid using SNMP version 1, but permit SNMP version 3.