D315 Network and Security - Foundations: Section 2 Introduction to Networking Security

Federal Information Security Management Act (FISMA)

passed in 2002, requiring federal civilian agencies to provide security controls over resources that support federal operations

Federal Information Security Modernization Act (FISMA)

passed in 2014, enacted to update FISMA 2002 with information on modern threats as well as security controls and best practices

Sarbanes-Oxley Act (SOX)

-passed in 2002, requires publicly traded companies to submit accurate and reliable financial reporting

-does not require securing private information, but does require security controls to protect the confidentiality and integrity of the reporting itself

Gramm-Leach-Bliley Act (GLBA)

passed in 1999, requires all types of financial institutions to protect customers' private financial information

Health Insurance Portability and Accountability Act (HIPAA)

passed in 1996, requiring health care organizations to implement security and privacy controls to ensure patient privacy

Children's Internet Protection Act (CIPA)

passed in 2000 and updated in 2011, requires public schools and public libraries to use an Internet safety policy

Children's Internet Protection Act (CIPA) policy

-Restricting children's access to inappropriate matter on the Internet

-Ensuring children's security when they are using email, chatrooms, and other electronic communications

-Restricting hacking and other unlawful activities by children online

-Prohibiting the disclosure and distribution of personal information about children without permission

-Restricting children's access to harmful materials

-Warning children about the use and dangers of social media

Family Educational Rights and Privacy Act (FERPA)

passed in 1974, protects the private data of students and their school records

General Data Protection Regulation (GDPR)

-regulation in EU law that protects each EU citizen's individual data; gives individuals ownership of their personal data and limits how that data can be collected and used

-covers the data that flows into and out of EU information systems

"Black Hat" [BAD]

-malicious hacker who breaks into the systems illegally for personal gain, revenge or criminal activity

-steals data like credit cards and personal info

-installs malware or ransomware

-breaks into systems without permission

-causes damage or disruption

"White Hat" [GOOD]

-ethical hacker who is authorized to hack systems to find vulnerabilities and help organizations stay secure

-penetration testing

-reporting vulnerabilities to companies

-improving systems' security defenses

-monitors the blue hat hackers and the red hat hackers

"Grey Hat" [MIX]

-a hacker who works between white and black hats; hacks without permission, but usually doesn't intend harm

-finds vulnerabilities in systems without permission

-sometimes publicly exposes flaws (even if the company didn't ask)

-may ask for payment after reporting a bug

"Script Kiddie" [BAD mostly]

-beginner hacker with little technical knowledge who uses existing tools, scripts, or software made by real hackers

-runs malware someone else made

-uses downloadable hacking tools

-attempts to cause chaos for fun or attention

"Hacktivist" [MIX]

-a hacker who attacks systems for political, social, or ideological reasons

-website defacement

-leaking government or organization data

-launching DDoS attacks to make a statement

"State-sponsored Hacker" [MIX]

-professional hackers funded by a government to conduct espionage or cyberattacks against other nations

-stealing military secrets

-targeting critical infrastructure (power, water, telecom)

-spying on political figures

-disrupting services during conflicts

"Blue Hat" [GOOD]

-a hacker invited by a company to test systems before release, similar to a temporary external tester

-pre-launch vulnerability testing

-bug-finding events

"Red Hat" [MIX]

-a hacker who targets black hats aggressively like a vigilante, fighting criminals using hacking techniques

-attacking black hat hackers

-destroying malware servers

-taking down criminal infrastructure

"Green Hat" [GOOD]

-a beginner hacker who is eager to learn and actively studying hacking techniques

-watch the tutorial, practice in labs

-lkkearns coding, networking, and attack modes

"Red Team" [GOOD]

-security professionals who simulate real cyberattacks against an organization to test defenses

-social engineering

-breaking into physical buildings

-pen-testing networks

"Blue Team" [GOOD]

-defenders who protect organizations from attacks and monitor systems

-incident response, monitor logs, detect intrusions, and stop attacks

"Purple Team" [GOOD]

-a combination of red and blue team skills; helps both sides improve

-coordinating between the attack and defense teams

-sharing tactics, techniques, and lessons

risk

-level of exposure to some event that has an effect on an asset, usually the likelihood that something bad will happen to an asset

-change (likelihood) that a threat will exploit a vulnerability, AND the impact it would cause

-formula: risk = threat vulnerability impact

-the chance AND the damage

vulnerability

-a weakness in a system that can be exploited

-a flaw/gap in security, making an attack possible

-NO damage

-the weakness

threat

-anything that has the potential to cause harm by exploiting a vulnerability

-can be a person, a condition, or a natural event

-is the THING that can attack or cause harm

-takes advantage of vulnerabilities, which can be intentional or accidental

-the source of danger

Network Vulnerabilities

Exist in:

1. Software - bugs, defects in applications

2. Hardware - outdated firmware, unpatched devices

3. Processes - weak passwords, poor policies

4. Physcia assets - open server rooms, unsecured ports

5. Users/human factor - social engineering, phishing

-Weak password → process-based vulnerability

-Outdated router firmware → hardware-based vulnerability

-Open port in wall → physical vulnerability

policy-based

weak passwords, poor access policies, lack of security standards

human factor

social engineering, phishing, and manipulation of users to gain confidential information

malware

worms, viruses, Trojans, rootkits, and ransomware that exploit vulnerabilities

physical access

unsecured ports. Unmonitored network jacks, unlocked server rooms

software-based

application bugs or defects that attackers can exploit

protocol-based

weaknesses in protocols like FTP or Telnet, which send data in clear text and are easily intercepted

design-based

-poor network design, like flat networks without segmentation, exposing multiple systems to attacks

-lack of DMZ or segmented subnets increases the risk of lateral movement and privilege escalation

misconfigurations

-unhardened servers, open ports, and unnecessary services running

Attackers can detect and exploit these misconfigurations

-incorrect setup of servers, apps, or network devices

-Examples: admin interface open to everyone, too many open ports

-Risk: unauthorized access, system compromise, and data leaks

Vulnerabilities from insiders

employees or internal users exploiting software, hardware, or process weaknesses

Vulnerabilities from outsiders

hackers, malware, or threat actors targeting exposed vulnerabilities

Role of Security Leaders

-Identify network vulnerabilities

-Assess the risks associated with them

-Mitigate risks by patching, hardening, or redesigning systems

-Ensure proper processes, policies, and designs are in place to minimize vulnerabilities

Mitigation

patch systems, enforce strong policies, segment networks, harden configurations, train users

DiD - Defense in Depth (Use multiple layers of security)

don't rely on just one control (like a firewall); if one is bypassed, another layer protects the network

Test security controls

security tools (firewalls, antivirus, access controls) must be tested to ensure they work correctly because some controls may be misconfigured, disabled, or not functioning as intended

identify vulnerabilities via vulnerability scanning

-run automated scans before deploying apps, servers, or devices into production

-scanning reveals: open ports, running services, missing patches, and known vulnerabilities

identify missing security controls

check if essential protections exist, like a missing firewall or no antivirus on endpoints

fix configuration issues

-ensure systems are configured correctly using hardening checklists

-another checklist for: web servers, DNS servers, DHCP servers, domain controllers, endpoints, network devices

Examples of hardening: disable unnecessary services, close unused ports, remove default accounts

apply patches continuously

always install security updates for OS, applications, and drivers; patching must be ongoing, not one-time

Data at Rest

-one data type to encrypt

-stored on drives or databases

Data in Transit

-another data type to encrypt

-emailed, shared, sent across networks

Harden all devices and systems

every device (servers, endpoints, network gear) should follow a hardening baseline, like disable Telnet, force strong passwords, install antivirus, or enable firewall settings

Restrict Physical Access

secure open network ports, cables, and physical network access points by plugging into an open port and scanning the network, exploiting vulnerabilities, moving laterally or escalating privilege, and planting backdoors

Avoid Weak Protocols (FTP, Telnet)

-older protocols send data in plaintext, making them easy to sniff

-For example: using Wireshark, an attacker can capture FTP username, FTP password, and transferred files

-replace them with modern protocols like SFTP instead of FTP, SSH instead of Telnet

Monitor all network entry/exit points

-all incoming and outgoing traffic must be monitored and filtered with tools like firewalls, IDS/IPS, and logging and monitoring systems

-this blocks unauthorized traffic and detects suspicious behavior

Message compromise (business email compromise)

-an attacker spoofs or hacks an employee's email (usually someone in finance) to trick others into sending money

-How they do it: phishing, keyloggers, fake email domains, stolen credentials

-Risk: financial loss, fraud, internal data exposure

Masquerade Attack

-attacker pretends to be a real, authorized user by using a fake identity

-Risk: unauthorized access, data theft, and difficult to detect because the attacker appears as a "legitimate" user

Message Modification

-if messages/emails are not encrypted, attackers can intercept and alter them in transit

-Risk: integrity loss, fraud, and incorrect data transmission

Denial-of-service (DoS) Attack

-attackers flood a web server with thousands of requests so it becomes too busy to serve real users

-What happens: CPU and memory become overloaded; server becomes slow, unresponsive, or crashes

-Risk: website shutdown, service outage, loss of revenue, damage to reputation

Social Engineering

-tricking humans into giving up confidential information

-Methods: phishing emails, phone calls pretending to be police, IT or bank, fake support technicians

-Risk: credential theft, unauthorized access, data breaches

Weak Passwords

-simple passwords like "123456" are easy to crack

-Tools: attackers use cracking tools like Cain and Abel or John the Ripper

-Risk: accounts are easily hacked, lateral movement inside the network

Cloud vs. On-Premise vulnerabilities

-If the application itself is vulnerable, it doesn't matter whether it's in the cloud or on-premises. The vulnerability still exists

-Risk: cloud data breaches, server exploitation, and code manipulation

Admin Privilege Misuse

-users are given more permissions than they need

-Risk: data loss, intentional abuse, and system compromise

Inherent bugs and code errors

-developers did not test or patch their code properly

-Examples include: SQL injection, cross-site scripting (XSS), and un-sanitized inputs

-Risk: attackers steal or alter data, website defacement, and backend access

Backdoors

-hidden access methods left intentionally or created by malware

-Two forms:

1. Developer backdoor = hard-coded admin credentials built into the app

2. Malware-created backdoor = malware creates a hidden admin account

-Risk: long-term unauthorized access, impossible to detect without deep inspection

Information Security (InfoSec)

-the big picture

-focuses on protecting all information and resources, whether in the cloud, on-premise, or hybrid environments

Network Security

-a subset of InfoSec

-focuses specifically on protecting the network infrastructure, including:

1. Data

2. Network devices like routers, switches, and firewalls

3. Hardware like servers or endpoints

4. Software like applications and OS

Relationship between information security and network security

PURPOSE: ensures that network components are protected against unauthorized access or attacks

Purpose of Network Security

-Network security protects resources by:

a. Preventing unauthorized access - only legitimate users can access network resources like shared folders

b. Preventing malicious activities - protects against misuse, modification, disruption, or destruction of information. For example, preventing unauthorized deletion of files or DoS attacks

c. Protecting data at rest and in transit - encrypt data stored on devices or sent across the network

d. Protecting network assets - limit access to hardware, software, and data to only authorized users

Importance of network security

a. Ensures availability - resources should always be accessible to authorized users (CIA Triad

b. Authentication and authorization — confirms who the user is (authentication) and what they can access (authorization)

c. Protect resources while allowing legitimate access - restrict user permissions according to roles, that is, like admin vs. regular user

Network security coverage

-Network security protects all components of a network:

a. Network - protect small or an enterprise networks, including segmented subnets and DMZs

b. Network applications - secure internal and external apps, ensure encryption, availability, load balancing, and fault tolerance

c. Network devices and systems - secure routers, firewalls, switches, servers, and endpoints (desktops, laptops, mobiles)

- Endpoints are often the main target for attacks

d. Network protocols - avoid weak protocols (FTP, Telnet); use strong protocols like SFTP or SSH

e. Data - encrypt data at rest and in transit, use access control lists to restrict access

Database Control - SQL Injection

-Attackers take control of the database by entering SQL into the input boxes on a website instead of entering basic text

-OSI Layer Application (7)

-Review source code & validate all user-entered data. Firewall: use reverse proxy system and scan incoming packets for malicious behavior. Use web-application firewall with rules to filter dangerous requests. Enable NX-bit (no-execute) functionality on physical computer.

Database Control - Buffer Overflow

-Buffer overflow is similar to SQL Injection but instead of SQL, they enter too much information into the form which causes the app to crash or other damage.

-OSI Layer Application (7)

-Coding to prevent too much input. Firewall to prevent suspicious data from being sent. Enable NX-bit (no-execute) functionality on physical computer.

Spoofing - Man in the Middle (MitM)

-MitM impersonates both the sender & the receiver to intercept communication between two systems. A hacker hijacks a session between trusted client and network server.

-MitM attacks occur in various OSI Layers

-Although MITM uses IP spoofing at its base, it goes a mile beyond that in order to gain control, by choosing sessions from one or more layers to be hijacked.

Intrusion Prevention systems and IPSec can help.

Spoofing - VLAN Hopping

-A method of attacking networked resources on a virtual LAN (VLAN). An attacking host on a VLAN gains access to traffic on other VLANs that would normally not be accessible.

-OSI Layer Transport (4) - DoS in other OSI Layers

-DDoS attack blocking, commonly referred to as blackholing, is a method typically used by ISPs to stop a DDoS attack on one of its customers. Basically, the site is taken down entirely so other sites on the network are not affected.

Denial of Service - Denial of Service (DoS)

-Denying service to a computer, network or network server by overwhelming the victim with large amounts of useless traffic. A computer is used to flood a server with TCP and UDP packets

-OSI Layer Transport (4) - DoS in other OSI Layers

DDoS attack blocking, commonly referred to as blackholing, is a method typically used by ISPs to stop a DDoS attack on one of its customers. Basically, the site is taken down entirely so other sites on the network are not affected.

Denial of Service - Distributed Denial of Service (DDoS)

-A DDoS attack is where multiple systems target a single system with a DoS attack. The targeted network is then bombarded with packets from multiple locations.

Denial of Service - Ping of Death

-Attacker pings the target & sends a ICMP packet over the max of 65,535 bytes and causes the victim's system to crash or stop functioning. Causes buffer overflow and crashes.

-OSI Layer Network (3)

-Update operating systems. Configure Web Application firewall to drop malformed packets.

Denial of Service - Ping Flood (Starts with Ping Sweep)

-A Ping Sweep is an information gathering technique which is used to identify live hosts by pinging them. After the sweep, attacker overwhelms victim's computer with a large amount of ICMP echo-request packets (pings)

-OSI Layer Network (3)

-Configure firewall to disallow pings (stops outside attacks not inside). Use intrusion prevention systems at network and host levels.

Denial of Service - SMURF DDoS (distributed attack)

-Rather than one computer sending ICMP packets, multiple computers are replying to the ICMP packet. It spoofs the source address for all ICMP packets

-OSI Layers Network(3) & Transport (4)

-Disable IP-directed broadcasts on your router. Reconfigure your operating system to disallow ICMP responses to IP broadcast requests. Reconfigure the perimeter firewall to disallow pings originating from outside your network.

Denial of Service - Deauth Attack

-Deauthentication (abbreviated deauth) is a denial-of-service (DoS) attack where the attacker can force any client (or even every client) off of the network

-OSI Layer Presentation (6)

-The simplest defense is to use WPA3 security on your WAPs because in WPA3, the management packets are encrypted. If it is not possible to use WPA3, at least use WPA2 to make sure the data traffic is encrypted

RPC Attack - RPC Exploit

-A specially crafted RPC request is sent. Successful exploitation of this vulnerability could execute arbitrary code within the context of another user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights

-OSI Layer Session (5)

-Mitigate with regular OS and application patching. Use of proxy firewalls and intrusion detection devices can prevent many RPC and NetBIOS attacks.

Social Engineering - Phishing/Spear Phishing

-User clicks on a link to a nefarious site which tricks them into entering their name/email address or other secure info. i.e.; sending an email about your PayPal account which isn't from PayPal

-Spear Phishing targets a person with extremely specific information - hacking a CEO's phone with a specific calendar invite for their kid's soccer practice

-Training on how to recognize & report phishing emails.

-How to stop at the networking level? I don't know, firewall?? but you should figure this out before taking the test.

Virus

malicious code that attaches to legitimate program and spreads when the program runs

Worm

self-replicating malware that spreads automatically across networks

Trojan Horse

malware disguised as a safe program (like a free game or fake update)

Ransomware

encrypts files and demands payment to unlock them

Spyware

secretly collects personal or sensitive information

Adware

shows unwanted ads, sometimes collects browsing data

Keylogger

captures everything typed on the keyboard, including passwords

Rootkit

hides malware by gaining deep system-level access

botnet/ bot infection

a device hijacked to perform attacks like DDoS, spam, etc. controlled remotely

Man-in-the-Browser

malware that alters web pages inside the browser like online banking redirects

Backdoor

hidden entry that lets attackers access the system remotely

Zero-day

-when attackers exploit a new, unknown software vulnerability that the vendor has not discovered or patched yet

-because there is no fix available, these attacks are especially dangerous

Responding to Zero-day Malware

-IMMEDIATE: isolate the affected system(s) to prevent the attack from spreading

-IMMEDIATE: check for indicators of compromise (IoCs) provided by security vendors, CERT alerts, or internal logs

-IMMEDIATE: block suspicious IPs/domains connected to the exploit

-IMMEDIATE: apply temporary workarounds issued by the vendor (sometimes they recommend disabling a feature)

-POST-ATTACK: apply the official patch as soon as the vendor releases it

-POST-ATTACK: update intrusion detection/endpoint tools so they recognize the exploit behavior

-POST-ATTACK: run full malware scans to ensure nothing persistent was installed

-POST-ATTACK: reset compromised passwords and tokens

-POST-ATTACK: review logs to understand when/how attackers entered

Confidentiality

-guarding information from everyone except those with rights to it

-Confidential information includes the following: private data of individuals, intellectual property of businesses, and national security for countries and governments

-"Keep data secret"

-Assuring that data privacy and protection of data against unauthorized disclosure are maintained

-Data confidentiality and privacy are so important that local and state governments are passing and strengthening laws to protect them at the state and federal levels

Security Control

a safeguard or countermeasure that an organization implements to help reduce risk

Confidentiality Examples

Conducting annual security awareness training for employees, which helps remind staff about proper handling of private data and drives awareness of the organization's framework of security policies, standards, procedures, and guidelines

Confidentiality Proper Security Controls

-Defining organization-wide policies, standards, procedures, and guidelines to protect confidential data, all of which provide guidance for how to handle private data

-Adopting a data classification standard that defines how to treat data throughout the IT infrastructure, which is the road map for identifying what controls are needed to keep data safe

-Encrypting data that crosses the public Internet

-Encrypting data that is stored within databases and storage devices

Integrity

-dealing with the validity and accuracy of data

-Protecting data from unauthorized modification

-Data has integrity if: Data is not altered, data is valid, and data is accurate

-Think of hashing, errors in data, and version control

-"Keep data correct"

Availability

-the amount of time users can use a system, application, and data; ensuring data and services are available to authorized users when needed

-"Keep data accessible"

uptime (availability time measurement)

total amount of time that a system, application, and data are accessible; measured in units of seconds, minutes, and hours within a given calendar month

downtime (availability time measurement)

total amount of time that a system, application, and data are not accessible

Availability Formula

Availability: mathematical calculation is A = (Total uptime) (Total uptime + total downtime)

Mean time to failure (MTTF)

average amount of time between failures for a particular system