Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
88 Cards in this Set
- Front
- Back
What motivations are there for attacks? |
- Challenge, curiosity, status gain among hackers - political agenda or revenge - financial gain |
|
What are the goals of attackers? |
- Fraud/theft (e.g. credit card details or identity) - violation of data integrity - vandalism/sabotage - denial of service |
|
Points of Attack |
- Client, server, communication - Hardware, software, data, people - Threats are blocked by the control of vulnerabilities |
|
Security goals |
Confidentiality (access only to authorised parties) Integrity (modification only by authorised parties) Availability (access available at all appropriate times to the authorised people) |
|
Insecurities in Networks |
- internet protocols must be open - large amounts of data stored in one place - all computers are networked (ease of access) - little forensic evidence of crimes -incomplete legislation - pressure to release software quickly without full security measures |
|
Protection controls |
- physical hardware - software - data encryption - policies and procedures |
|
Principle of adequate protection |
Security measures should be commensurate to the value of the asset Assets should only be protected until they lose their value |
|
Methods of defence |
-Prevention -Deterrence -Deflection -Detection -Recovery |
|
Protection Effectiveness |
-controls should be used properly, must be efficient, easy to use and appropriate -awareness of problems -overlapping controls -periodic review |
|
Types of Attack |
1. Non technical (physical access) 2. Intercepting communications 3. Password cracking 4. Buffer overflow 5. Denial of service 6. Viruses, worms, trojan horses 7. Port scanners 8. Spoofing 9. Back doors 10. Scripting vulnerabilities 11. Database vulnerabilities 12. Executable content 13. Cookies |
|
Describe 'People' Attacks |
-Often the weakest link (insider abusing position, employees not failing policies, collecting social media data) - social engineering e.g. phishing |
|
Protection against People Attacks |
- Vetting personnel - Education and awareness - Strict security policies - Access control - Anti spam filters to detect phishing |
|
Describe Physical Access Attacks |
- computers, data centres, mobile devices, routers, data storage - can be lost, stolen, destroyed, modified |
|
Protect against physical access attacks |
- physically secure computing system - secure or control access to rooms - back ups and mirror sites - password protected devices - controlling access from mobile devices to company network (VPN) |
|
Describe Intercepting Communications attacks |
- access to cables, network taps, or intercepting wireless communications if in range |
|
Protection against communication interception attacks |
- shielded and alarmed cables - using strong wireless protocols ensuring confidentiality, authentication, integrity |
|
Describe ways attackers can use passwords |
- non technical (looking over someone's shoulders) -default accounts and passwords - password crackers (likely passwords) - download encrypted password file and crack passwords offline - recording keystrokes - same password across different sites - passwords sent unencrypted can be intercepted by sniffers |
|
Protection against password attacks |
- Common sense (don't write them down) - Choose strong passwords - masked with ***'s in forms - change default passwords - timed out sessions - locking after a number of incorrect attempts - store as a hash, or a hash and salt - only submitting passwords through encrypted connections (e.g. SSL) |
|
What is a salt for passwords? |
A random number stored in clear with the hash to prevent attackers using pre-computed hashes of common passwords |
|
Describe Buffers |
Buffers are designed to hold data of a certain length (larger data can cause unexpected behaviours such as overwriting other areas of memory) |
|
Describe buffer vulnerabilities |
- this is a very common vulnerability - typical targets for overwriting (stack used for procedure calls, heap used for dynamic memory allocation) - buffer over-read (reading more data than the length of the buffer (e.g. heartbleed) |
|
Protection against buffer attacks |
writing secure programs - always check number of arguments for functions - check parameters passed via URL - check range for indices - check for special characters in input (can introduce commands) |
|
List the types of denial or service attacks |
- SYN Flood - Ping - Reflection and Amplification - Distributed Denial of Service (DDoS) |
|
Describe SYN Flood |
Uses TCP/IP protocol - does not complete the last step of the three way handshake so that the connection is left open until it times out. The source of the attack is often spoofed |
|
What operating systems do SYN Flood attack? |
Unix and Windows |
|
How to protect against SYN flood attacks? |
- Set shorter timeout/longer queue - Block IP address (although this can be spoofed) - SYN cookies |
|
Describe a Ping |
Command used to check if host is reachable, by sending a request to which the host should respond |
|
Describe Ping flood attack |
Sends more pings than the host can handle |
|
Describe ping of death |
send a fragmented oversized ping packet causing buffer overflow |
|
How to protect against ping attacks |
- Can set hosts to not respond to ping - Firewall (can filter incoming echo request packets, prevents measuring latency from legitimate users, limit number of echo request packets during a given time) |
|
Describe Reflection Attacks |
Attacker spoofs their IP address to IP address of the intended victims, then send IP packets to a third party who will respond to the victim's IP address, so the attack is reflected through the third party |
|
Describe Amplification Attacks |
Attacker exploits some protocol/application where they send a small amount of data but the reply is a considerably larger amount of data. This is often combined with Reflection |
|
Describe DNS or NTP amplification |
Attacker sends a request to a DNS or NTP server with source address spoofed to be the IP address of intended victim. Often use a command that returns a large amount of data |
|
Describe DDoS Attacks |
Large number of computers send a large number of legitimate looking requests to a target server at the same set time, or do a reflection/amplification on this target |
|
What advantages are there for DDoS attackers? |
Multiple machines can generate more attack traffic than one machine |
|
How are DDoS hosts recruited? |
Usually through a virus/worm infection. They form a bot-net that can be controlled remotely, or there are bot-nets for hire |
|
How to protect against DDoS attacks? |
- Distinguish legitimate packets - Avoid infection by virus/worm - Limit requests from certain IP addresses - Use large capacity servers (load balancing) - closing NTP servers to external enquiries - Firewalls can prevent some outgoing DDoS |
|
Describe Port/Network Scanners |
These check for open ports on a machine that are listening for incoming connections e.g. http server Can be used by system admins to check if system is working according to the policy |
|
How can port/network scanners be used by attackers? |
Can be used by reconnaissance by an attacker to plan a suitable attacker
|
|
Protection against Port/Network scanners |
Firewalls or Intrusion Detection Systems |
|
Describe Packet Analysers/Sniffers |
Packet analysers intercept network traffic. Usually open packets addressed to them. Used for legitimate purposes e.g. intrusion detection or to monitor performance |
|
How are packer analysers/sniffers used by attackers? |
For intercepting sensitive data |
|
How to protect against packet analysers/sniffers? |
Encrypt sensitive data |
|
Describe Viruses |
A program that infects files, and can replicate itself in other files, usually performing malicious/disruptive operations on the host computer |
|
Where do viruses infect? |
- executable files - data files - boot sector to launch at boot time - may write entries in the registry |
|
How do viruses work? |
- viruses code (signature) is inserted into the target file |
|
How do virus scanners work? |
They recognise the virus 'signature' (code) to identify them |
|
What are encrypted viruses? |
Virus code is encrypted and only the encryption module and the key are left clear |
|
What are polymorphic viruses? |
Produce variations of the virus code to prevent detection |
|
What are worms? |
Independent malicious programs that can spread through a network without the help of other infections and do not need to attach themselves to other programs |
|
What is a trojan horse? |
programs that look legitimate but also perform malicious operations in the background such as installing key loggers or backdoors |
|
How to protect against viruses/worms/trojan horses? |
- regularly update antivirus software - install patches of operating systems - protect the boot sector by disabling from removable media - don't open suspicious attachments/download from suspicious sources -make back ups for restoring after an infection |
|
Describe back doors |
After gaining access to a computer, an intruder may install a back door to allow remote access later Worms or trojan horses may also install them automatically |
|
Describe spoofing in websites |
Fake websites masquerading as another trusted site to extract information. Often rely on typo's to divert traffic. Phishing attacks often use spoofed websites |
|
Protection against spoofed websites? |
- server authentication using digital certificates (as in SSL) |
|
Describe spoofed IP addresses |
Used to redirect the response to another host, or make it hard to trace origin of attacks |
|
Protection against spoofed IP addresses? |
Prevention: outgoing packets can be filtered by firewall so only packets having an IP address on the internal network can get through |
|
Describe spoofed email addresses |
The 'from' and 'reply to' fields can be spoofed. Used for sending spam, phishing emails, spreading worms and defamation |
|
How to prevent spoofed emails? |
SenderID, SPF, DKIM, DMARC most mail servers have built in filters to check server authentication of incoming mails and automatically ignore or quarantine suspicious looking emails |
|
Describe Cookies |
Cookies are files that a webserver can pass into a client web browser and be stored on a client's computer. Once received it is sent to the same server each time a document is requested from that server. They can be transient or permanent |
|
What are the purposes of cookies? |
- maintaining a state between pages e.g. basket - display personalised information e.g. ads - store subscription information - store an ID which is a key into a DB storing user info - allowing web analystics |
|
What are the security benefits of cookies |
Data is stored on client computer not server |
|
What are the security threats of cookies? |
- Ethical problems from profiling users - Anyone intercepting cookies can impersonate client and gain access to their information if a cookie stores access permission information - cookies can be modified by the users |
|
Explain compliance for cookies |
- Lots of legislation including UK law in 2011 - Requires site to obtain users' consent for setting cookies - most sites are compliant by informing user and assuming consent - some sites allow users to opt out of all but essential cookies, however this is stored in a cookie |
|
Cookie protection |
- can be disabled by client - can be encrypted by server - should have extra authentication for cookies containing sensitive information e.g. changing account details |
|
Other potential threats |
- Identity theft - Browsing history on shared computers - Web bugs (1x1 pixels) on sites or emails to track users and collect statistics |
|
Describe the general properties of firewalls |
- Act as a filter for traffic between two networks - They provide a single point of access - Ideally installed on a dedicated computer with only strictly necessary software installed to prevent lower performance or infection - Often combined with routers |
|
What are firewalls used to protect? |
LAN and webservers |
|
What is DMZ? |
DMZ is demilitarised zone for e-commerce websites consist of an inner and outer firewall around the web server |
|
List the types of firewall |
- Packet filters - Circuit level gateway - Proxies (Application level gateway) - Stateful inspection |
|
What are packet filters?
|
Routers that filter packets at network layer level according to rules set up by the administrator |
|
How do routers filter packets? |
Packet by packet, depending on source and destination IP addresses, and port/protocol numbers |
|
Describe default behaviour of packet filters |
Default permit and default deny |
|
Disadvantages of packet filters? |
Do not care about data content, just destination Simplistic inspection |
|
Describe the circuit level gateway firewall |
Works at transport layer, establishing two TCP connections and then replaying segments Monitors the TCP handshake and only allows in data which is part of an established connection |
|
Advantages of the circuit level gateway firewall |
non-requested data from outside the firewall is not permitted - all ports are closed until the firewall opens them |
|
Disadvantages of the circuit level gateway firewall |
Any type of data requested from inside the firewall will be allowed through |
|
Describe proxies firewall |
Proxies act as an intermediary handling sent and received information for a particular application There is a proxy for each application protocol (http, ftp, telnet) (protocols with no proxy will not work |
|
Advantages of proxies firewall |
- more in depth than a circuit level gateway - considered very secure because of the offered level of control |
|
Disadvantages of proxies firewall |
Require significant configuration and slower because of the proxy applications |
|
Describe Stateful Inspection |
Combine filtering a 3 layers (network, transport, application) Keeps track of connections and takes filtering decisions based on the context Holds in memory the state of each connection from start to finish |
|
What makes personal firewalls different? |
- different scale, typically designed by end users so will only protect the computer on which it is installed |
|
List the functionality of personal firewalls |
1. alert user to outgoing connection attempts 2. allows user to control program permissions 3. hide computer from port scans 4. monitor connections and traffic 5. prevent unwanted network traffic from local applications 6. options to block ICMP message e.g. ping |
|
Advantages of firewalls |
1. defines a single access point - easier to control 2. protection against network scanners, remote login, IP spoofing and routing 3. can be used to implement VPN's |
|
Limitations of firewalls |
- does not protect against internal threats - does not protect from data driven attacks (e.g. viruses, flaws in web server software) - can create a false sense of security |
|
Describe Intrusion Detection Systems |
- software tools that scan the network/host as it runs, alerting admin to signs of suspicious activity - keeps activity logs for auditing - very similar to IPS or IDPS |
|
IDS can monitor... |
a host or a network (can run in stealth mode) |
|
IDS can be based on... |
- statistical anomaly detection - rule-based/signature based detection (for known attacks) |