NETCENTRIC FUNDAMENTALS

(ITT501)

CHAPTER 5 –
NETWORK SECURITY
 Overview of Network Security
• Fundamentals of Network Security
• Web Application security
• Network attacks
• Authentication Protocols
• Cryptography
• Auditing and logging
 What is network security?
confidentiality: only sender, intended receiver should
“understand” message contents
– sender encrypts message
– receiver decrypts message
– authentication: sender, receiver want to confirm identity of
each other
message integrity: sender, receiver want to ensure message not
altered (in transit, or afterwards) without detection
access and availability: services must be accessible and
available to users
Friends and enemies: Alice, Bob, Trudy
• well-known in network security world
• Bob, Alice (lovers!) want to communicate “securely”
• Trudy (intruder) may intercept, delete, add messages

Alice Bob
channel data, control
messages

data secure secure data

s
sender receiver

Trudy
 Who might Bob, Alice be?
• … well, real-life Bobs and Alices!
• Web browser/server for electronic
transactions (e.g., on-line purchases)
• on-line banking client/server
• DNS servers
• routers exchanging routing table updates
• other examples?

Security 8-5
 There are bad guys (and girls) out there!
Q: What can a “bad guy” do?
A: a lot!
– eavesdrop: intercept messages
– actively insert messages into connection
– impersonation: can fake (spoof) source address
in packet (or any field in packet)
– hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself
in place
– denial of service: prevent service from being
used by others (e.g., by overloading resources)
 Threat Actor
• Threat actor (also called a malicious actor) is
an individual or entity responsible for cyber
incidents against the technology equipment
of enterprises and users.

• The generic term attacker is also commonly

used.
• The motivation of an attack can be profit, joy,
vandals and insider(have advantages because
have access).
 Threat Actor
• Script kiddies
– Script kiddies are individuals who want to perform
attacks, yet lack the technical knowledge to carry them
out.
– Script kiddies instead do their work by downloading
freely available automated attack software (scripts) and
use it to perform malicious acts.

• Hacktivists
– Individuals that are strongly motivated by ideology (for
the sake of their principles or beliefs) are hacktivists (a
combination of the words hack and activism).
– often involved breaking into a website and changing its
contents as a means of making a political statement.
 Threat Actor
• State actors
– governments are increasingly employing their own state-
sponsored attackers for launching cyberattacks against their
foes.
– attacks from state actors are directed toward businesses in
foreign countries with the goal of causing financial harm or
damage to the enterprise’s reputation.

• Insiders,
– serious threat to an enterprise comes from its own
employees, contractors, and business partners, called insiders,
who pose an insider threat of manipulating data from the
position of a trusted employee.
– harder to recognize because they come from within the
enterprise.
• others.
 Threat Actor
• Others.
 Vulnerability
• A vulnerability (from Latin meaning wound )
is defined as the state of being exposed to
the possibility of being attacked or harmed.

• Cybersecurity vulnerabilities can be

categorized into platforms, configurations,
third parties, patches, and zero-day
vulnerabilities.
 Vulnerability
• Platforms
– Several vulnerabilities are the result of the platform being
used.
– Some platforms by their very nature have more serious
vulnerabilities.
– These include legacy platforms, on-premises platforms, and
cloud platforms.

• Third Parties
– Organizations often contract with third parties to assist them
in developing and writing a software program or app.
– This is called outsourced code development.
– if the security of the third party has any weaknesses, it can
provide an opening for attackers to infiltrate the
organization’s computer network.
 Vulnerability
• Configurations
– Modern hardware and software platforms provide an array of
features and security settings that must be properly configured to
repel attack.
– Configuration settings are often not properly implemented, resulting
in weak configurations.
 Vulnerability
• Patches
– A security patch is an officially released software security
update intended to repair a vulnerability.
– Patches can create vulnerabilities and difficulties such as
difficulty patching firmware, few patches for application
software and delays in patching.

• Zero Day
– Cyber attack targeting a software vulnerability which is
unknown to the software vendor or to antivirus vendors.
– called a zero day because it provides zero days of warning.
– Consider extremely serious since systems are open to attack
with no specific patches available.
 Impacts of Attacks
• Data

• Enterprise
– Reputation
 Malware Attacks
• Malware is a software that enters a computer system
without the user’s knowledge or consent and then
performs an unwanted and harmful action.
• Malware is most often used as the general term that
refers to a wide variety of damaging software programs.
• Malware is continually evolving to avoid detection by
improved security measures.
• Malware actions or operations are used for groupings
which categories malware into imprison, launch, snoop,
deceive, and evade.
 Malware Attacks
• Imprison
• Types of malware that attempt to take away the freedom
of the user to do whatever they want on their computer.
• Example : ransomware and cryptomalware.

• Launch
• Category of malware is that which infects a computer to
launch attacks on other computers.
• Example : virus, worm, and bot.

• Snoop
• Malware that “snoops” or spies on its victims.
• Example :spyware and keyloggers.
 Malware Attacks
• Deceive
• Some malware attempts to deceive the user and hide its
true intentions.
• Example : unwanted programs (PUPs), Trojans, and remote
access Trojans (RATs).

• Evade
– The final category of malware attempts to help malware or
attacks evade detection.
– Example : backdoor, logic bomb, and rootkit.
 Application Attacks
• Attacks specifically targets software applications that are already
installed and running on the device.
• These attacks look for vulnerabilities in the application or manipulate
the application in order to compromise it.
• A web server provides services that are implemented as “web
applications” through software applications running on the server.
• Application servers run the specific “web apps,” which in turn are
directly connected to database servers on the internal network.
• The multiple elements in a web application infrastructure provide
multiple attack points.
• Application attacks include scripting attacks, injection attacks,
request forgery attacks, and replay attacks.
 Application Attacks
• Scripting attacks
• cross-site scripting (XSS) attack, a website that accepts user input without
validating it (called sanitizing) and uses that input in a response can be
exploited.
• Injection attacks
• Introduce new input to exploit a vulnerability.
• One of the most common injection attacks, called SQL injection, inserts
statements to manipulate a database server.
• Request forgery attacks
• Perform attack by fabricating a request.
• two types of request forgeries are a cross-site request
forgery (CSRF) and a server-site request forgery (SSRF).
• Replay attacks.
• Copies data and then uses it for an attack.
• Threat actor retransmits selected and edited portions of the copied
communications later to impersonate the legitimate user.
 Application Issues
• Administration
– Security awareness from those who manage the website and it’s content on a daily basis
are not strong.
– More than just onfiguration – Administrator also must be aware of the implication of
content and structure of the application as well.
– For example: remnant files like readme.txt’s or sample applications can reveal the
applications and versions in use. Backup files or improper application mapping can reveal
source code, including the information necessary to connect to the database

• Application
– The application logic are not carefully constructed and does not include security
mechanisms.
– The input received not tested, validated, and filtered.
– Files calls are not properly developed, especially if pull files directly from the file system,
could expose web pages source code, or expose system files.
– Unhandled (raw) error messages are a roadmap through the application and database.
– Structure database calls are not carefully developed, any user-input that will become
used in the query.
 Network Attacks
• A network attack is an attempt to gain
unauthorized access to an organization’s
network, with the objective of stealing data or
perform other malicious activity.
• The attacks target a network or a process that
relies on a network.
• Example interception attacks, Layer 2 attacks,
DNS attacks, distributed denial of service
attacks, and malicious coding and scripting
attacks.
 Network Attacks
• Interception Attacks
– Some attacks are designed to intercept network
communications. Three of the most common
interception attacks are man-in-the-middle, session
replay, and man-in-the-browser attacks.
• Layer 2 Attacks
– Different layers work without the knowledge and
approval of the other layers. This means that if one
layer is compromised, the other layers are unaware
of any problem,
– Two common Layer 2 attacks are Address solution
protocol poisoning and media access control attacks.
 Network Attacks
• DNS Attacks
– Exploiting vulnerabilities found in the Domain Name
System (DNS) of a server.
– Attacks using DNS include DNS poisoning and DNS
hijacking.
• Distributed Denial of Service Attack
– attack flooding a system with “bogus” requests,
overwhelming the system so that it cannot respond to
legitimate requests.
• Malicious Coding and Scripting Attacks
– Several successful network attacks come from malicious
software code and scripts. These attacks use PowerShell,
Visual Basic for Applications, the coding language Python,
and the Linux/UNIX Bash.
 Security Defense
• Antivirus
– examine a computer for file-based virus infections as well
as monitor computer activity
– Scan new documents that might contain a virus.
– If a virus is detected, options generally include cleaning
the file of the virus, quarantining the infected file, or
deleting the file.
• Antimalware
– Antimalware is a suite of software intended to provide
protections against multiple types of malware, such as
ransomware, cryptomalware, and Trojans.
– antimalware suite also consist of antispyware, which
helps prevent computers from becoming infected by
spyware.
 Security Defense
• Web Browsers
– Web browsers have a degree of security that can protect
endpoint computers.
– This security includes secure cookies and HTTP headers.
• Encryption
– Encryption is the basic building block of data security. It is
the simplest and most important way to ensure a
computer system's information can't be stolen and read
by someone who wants to use it for malicious purposes.
– Data security encryption is widely used by individual
users and large corporations to protect user information
sent between a browser and a server.
 Security Defense
• Firewalls
– A firewall uses bidirectional inspection to examine both
outgoing and incoming network packets.
– It allows approved packets to pass through but can take
different actions when it detects a suspicious packet.
– The actions are based on specific criteria or rules; these types
of firewalls are called rule-based firewalls.
• Proxy Servers
– devices act as substitutes on behalf of the primary device.
– Acting as the intermediary, a proxy server can provide a
degree of protection.
• It can look for malware by intercepting it before it reaches the
internal endpoint.
• proxy server can hide the IP address of endpoints inside the secure
network so that only the proxy server’s IP address is used on the
open Internet.
 Security Defense
• Deception Instruments
– Deception can be used as a security defense: by directing threat
actors away from valuable assets.
– Attacker are tricked into thinking what they are attacking is valuable
when it is not, or that their attack is successful when it is not.
– Creating network deception can involve creating and using
honeypots and sinkholes.
• Intrusion Detection and Prevention Systems
– An intrusion detection system (IDS) can detect an attack as it occurs
– An intrusion prevention system (IPS) attempts to block the attack.
– An inline system is connected directly to the network and monitors
the flow of data as it occurs.
– A passive system is connected to a port on a switch, which receives a
copy of network traffic.
 Security Defense Others
• Patch management
• Operating System configuration and
management.
• Application development and management.
 Authentication
• Authentication in information security is the process of
ensuring that the person or system accessing to resources
is authentic and not an imposter.
• Common elements can be used as an authentication
credential are something you know, something you have,
something you are, and something you can do.
• type of authentication credential—
• multifactor authentication (MFA) – combination of what a user
knows (the password) and what the user has
• Using just one type of authentication is called single-factor
authentication, and
• using two types is called two-factor authentication (2FA).
 Something You Know
• most common IT authentication credential is
providing information that only the user
would know.
• A password is a secret combination of letters,
numbers, and/or characters.
• Despite their widespread use, passwords
provide weak protection and are constantly
under attack.
 Something You Have
• Another type of authentication credential is based on
the approved user having a specific item in his
possession (something you have).
• Smart Cards
– A smart card is a credit-card-sized plastic card that can
hold information to be used as part of the authentication
process.
• Windowed Tokens
– A hardware windowed token is typically a small device
(usually one that can be affixed to a keychain called a key
fob) with a window display
– Comes with one-time password (OTP), which is an
authentication code that can be used only once or for a
limited period of time.
 Something You Have
• Smartphones
– smartphones are ubiquitous and carried by users
virtually everywhere, they can be used for
authentication by a wide range of users without
the need for an additional device.
– smartphone (something they have) can also be
used for the second authentication factor.
 Something You Are
• This type of authentication involves
physiological biometrics and cognitive
biometric.
• Commonly used, Iris, Retina, Voice, Facial and
etc.
 Cryptography
• Cryptography is the practice of transforming
information so that it cannot be understood by
unauthorized parties and, thus, is secure.
• Cryptography is usually accomplished through
“scrambling” the information so that only approved
recipients (either human or machine) can
understand it.
• When using cryptography, the process of changing
the original text into a scrambled message is known
as encryption. The reverse process is decryption.
• Protect data resides in any of three states: Data in
processing, Data in transit and Data at rest.
Cryptography Use Cases
 Category of Cryptography

• Symmetric Cryptographic Algorithms

• Asymmetric Cryptographic Algorithms
• Hash Algorithms
Symmetric Cryptographic Algorithms

• Cryptography that use the same key to

encrypt and decrypt the data.
– Data encrypted by Bob with a key can only be
decrypted by Alice using that same key. Because
the key must be kept private (confidential),
• Symmetric encryption is also called private
key cryptography.
Symmetric Cryptographic Algorithms
Asymmetric Cryptographic Algorithms
• Asymmetric encryption uses two keys instead of
only one known as the public key and the private
key.
• The public key is known to everyone and can be
freely distributed.
• The private key is known only to the individual to
whom it belongs.
• Also known as public key cryptography.
Asymmetric Cryptographic Algorithms
 Hash Algorithms
• A hash algorithm creates a unique “digital
fingerprint” of a set of data.

• This process is called hashing, and the resulting

fingerprint is a digest (sometimes called a
message digest or hash) that represents the
contents.

• Hashing is intended to be one-way in that its

digest cannot be reversed to reveal the original
set of data.
 Hash Algorithms
• The purpose is not to create ciphertext that can
later be decrypted but used primarily for
comparison purposes.
• Hashing is often used as a check to verify that the
original contents of an item have not been changed.
 Auditing
• Computer security audits are technical assessments
(gathering, analyzing, and studying) conducted on
applications, systems, or networks.
• Audits can be done manually or with computer
programs.
• Monitoring does not constitute an audit, but audits
usually include monitoring.
• A security administrator wants to know who did what
to a particular resource and when that person did it.
 Auditing Activities
• Manual assessments usually include the
following:
– Review of security logs
– Review of access control lists
– Review of user rights and permissions
– Review of group policies
– Performance of vulnerability scans
– Review of written organization policies
– Interviewing organization personnel
 Logging
• The Security log can show whether a user was
successful at doing a variety of things, including
logging on to the local computer or domain;
accessing, modifying, or deleting files; modifying
policies; and so on.

• All these Security log events can be referred to

as audit trails.

• Audit trails are records or logs that show the

tracked actions of users, whether the user was
successful in the attempt or not.
 Logging
• A security administrator should monitor this
log file often to keep on top of any breaches,
or attempted breaches, of security.
• By periodically reviewing the logs of
applications, operating systems, and network
devices, we can find issues, errors, and
threats quickly and increase our general
awareness of the state of the network.
 References
• Rudra, Bhawana. Flexible Network
Architectures Security (p. 116). CRC Press.
Kindle Edition. 2018
• James Kurose and Keith Ross, "Comptuer
Networking - A Top-Down Approach", Seventh
Edition, Chapter 8
• David Prowse, CompTIA Security+ SY0-501
Cert Guide (Certification Guide) 4th Edition
(2018), Chapter 13.
THANK YOU