Topic: Describe modern threats, vulnerabilities, and exploits

Modern networks are undergoing more attacks than ever before; these attacks are of a wider variety and from more sources than in the past. Today, there are huge variations in the motivations of attackers. At one time, fame, curiosity, and the desire for easy money primarily motivated computer criminals. Today, entire nation-states, with seemingly infinite resources, field attackers for political reasons.

Here is just a partial list of some of the most common threats in cybersecurity today that you should be aware of for the CCNA 200-301 exam:

• ▸ Computer viruses: Viruses are some of the oldest threats, and they persist today. Viruses are code pieces or entire applications that seek to install on systems to do damage or steal data in some way.

• ▸ Malware: The industry needed a very broad term to describe the many different types of attacks that are intentionally designed to disrupt, damage, or gain unauthorized access to a computer, server, client, or computer network. Malware is the awesome word the industry came up with. Malware is an umbrella term for viruses, ransomware, Trojan horses, adware, and so on.

• ▸ Trojan horse: With this type of threat, the code that attacks or steals data from a system is hidden behind what appears to be a legitimate application or website. Often, these types of attacks spread via email. An application is sent for you to download, you download the application and install it, and the attacking code is then executed.

• ▸ Adware and spyware: Adware may sneak onto your computer or trick you into installing it while appearing to be some useful little utility or full program. This software then presents ads in the forms of banners or popup windows. Spyware is even more evil. This software watches and records your actions and is often a critical step in a larger attack against a system.

• ▸ Worm attack: In this type of attack, malicious code spreads from system to system in the network. It does this by replicating itself onto another system from the system where it was originally running. Worms can not only spread but cause damage, such as conducting denial-of-service (DoS) attacks or stealing data.

• ▸ Distributed denial-of-service (DDoS) attack: DDoS attacks are feared today. Such an attack attempts to make services or entire systems unavailable. DDoS attacks often employ botnets (also called zombie systems) that have no idea they are taking part in the attacks. Over the years, DDoS attacks have succeeded in taking down major portions of the public Internet. Note that parts of the Internet have often gone offline not as a result of DDoS attacks but as a result of fat fingering or non-malicious mistakes.

• ▸ Phishing: Phishing is a popular social engineering attack. In this type of attack, a malicious party sends an email that is carefully constructed to look legitimate. It might pretend to be from a bank and ask the recipient to enter a username and password on a website linked in the email. Of course, this website is also constructed to appear completely legitimate. Spear phishing is a phishing attack that is customized for and targets a particular person.

• ▸ Rootkit: A rootkit is a collection of software tools that are installed on a system to ultimately provide the attacker with full administrative control over a device.

• ▸ SQL injection attack: This type of attack leverages the fact that most applications and sites are powered by SQL-based databases and do not filter user input. In a SQL injection attack, malicious SQL code is injected into the system through a form, with the goal of extracting data or simply denying service to the system.

• ▸ Man-in-the-middle: In this type of attack, a system intercepts communication between devices. The difference between a man-in-the-middle attack and simple eavesdropping is that the man-in-the-middle attack also impersonates the end devices in order to terminate encrypted sessions and get access to the data exchanged, whereas an eavesdropper would also have to decrypt the encrypted traffic first.

• ▸ Ransomware: This is software that encrypts a system’s data and then offers decryption keys for a fee.

• ▸ Data exfiltration: In this type of attack, a system’s data is copied to an external system by an unauthorized attacker or by malware.

In addition to understanding the modern-day threats against you and your systems, you should also be aware of several other terms in cybersecurity:

• ▸ Vulnerability: A vulnerability is a bug or a misconfiguration of a computer system that could lead to a successful attack. A big part of defending systems today involves efficiently and effectively scanning these systems for vulnerabilities and keeping them patched.

• ▸ Exploit: An exploit involves software written specifically to utilize a vulnerability to execute an attack. Standalone exploits are often software version specific, which is why cybercriminals have developed exploit kits, which are toolkits that can leverage a whole slew of vulnerabilities, across platforms and operating systems.

• ▸ Zero-day attack: A zero-day attack is a previously unknown vulnerability, especially one that has already been exploited to perpetrate an attack. Ethical actors (such as security researchers, ethical hackers, and companies) are constantly combing through networks and source code to identify vulnerabilities, but so are unethical actors. An ethical actor who identifies a new vulnerability usually follows a “responsible disclosure” process so that a patch is developed and deployed quickly, before a public disclosure of the vulnerability. On the other hand, a malicious actor is likely to develop an exploit of the vulnerability identified and use the exploit to attack victims or sell the exploit on the black market. There is no way to completely protect against zero day attacks.

Topic: Describe common mitigation techniques and security program elements

Mitigation techniques greatly outnumber the types of attacks that are common—thanks to the move to provide “defense in depth” in a highly secured network environment. Security mitigation begins at the end user, in the form of specialized training, and continues to the host workstation, the switch or access point the user connects to, and onward to the routers and various devices and media handling the traffic from that point forward.

Cisco devices have inherent network security features, and there are also specialized technologies you can add to the network. Here are some that you should be familiar with for the CCNA 200-301 exam:

• ▸ AAA (authentication, authorization, and accounting): Authentication deals with the attempt to prove a user’s identity, authorization tries to dictate what a user can do, and accounting seeks to carefully track and measure what a user does.

• ▸ ACLs (access control lists): ACLs provide additional layers of security and can be applied in many different precise locations in a network. ACLs act as firewalls, filtering out unwanted traffic.

• ▸ Security management features: Cisco devices offer various built-in mechanisms to assist with securing the required management network traffic and helping to keep the devices secure. Mechanisms include SSH, SNMPv3, RADIUS, TACACS+, and many others. Be sure you are aware of versions on your devices. For example, SNMP v2c does not offer near the security of SNMP v3.

• ▸ Cryptographic features: SSH, IPsec, and SSL support are built into K9 IOS images.

• ▸ Security appliances and applications: You can add many different variations of these technologies to the network. Common additions include NGFWs, IPSs, and IDSs. IPSs analyze traffic and identify attacks and drop these packets. IDSs excel at detecting these attacks and notifying administrators.

Another important ingredient in the overall security posture of an organization is the security policy. It is actually quite frightening to think about the number of organizations that don’t have such policies today! Common (and important) elements of a security policy for an enterprise include the following:

• ▸ End-user security awareness training

• ▸ End-user security policy training

• ▸ Physical access control

• ▸ Patch management

• ▸ Audits

• ▸ Backups (specifically for protection against ransomware)

Of course, an important component in most security policies and training programs for the enterprise are security password policies. These will place strict measures on how passwords must be used in the organization. Here you set password complexity rules. These typically include

• ▸ A length requirement

• ▸ A password expiration requirement

• ▸ A unique password over time requirement

• ▸ A complexity requirement; for example, requiring mixed case; special characters; and numerics

Review Questions

1. What attack method locks out a system or even encrypts it and then offers to unlock it in exchange for money?

A. Worm

B. Man-in-the-middle

C. Phishing

D. Ransomware

2. What is a bug in a system that might be a target of an exploit?

A. Vulnerability

B. Rootkit

C. SSH

D. IPsec

Answers to Review Questions

1. D is correct. Ransomware is an attack that locks a system or encrypts it. The attacker then offers to accept payment to unlock the affected system.

2. A is correct. A vulnerability is a weakness or a break in a system that can be exploited.

Additional Resources

What Is a DDoS Attack?

https://www.cisco.com/c/en/us/products/security/what-is-a-ddos-attack.html

Exploit Kits

https://www.cyber.nj.gov/threat-profiles/exploit-kits

User Security Configuration Guide

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt-book/sec-autosecure.html