Note
Studied by 13 peopleNoteStudied by 22 peopleNoteStudied by 3 peopleNoteStudied by 178 peopleNoteStudied by 55 peopleNoteStudied by 1 person
NETWORK SECURITY
MECHANISMS
1. Least Common Mechanism
Least Common Mechanism emphasizes reducing shared components or failure modes between subsystems to avoid cascading failures. For example, in aerospace systems, redundant components with independent mechanisms are often used to minimize risk.
Example: If an aircraft's autopilot system and manual control share the same sensor, failure in that sensor could compromise both systems. By ensuring each system uses a separate, independent sensor, the risk of total system failure is reduced.
2. Fail-Safe
A fail-safe mechanism is a design principle where the system defaults to a safe state in the event of a failure. The goal is to minimize harm or risk, even if a component or process breaks down.
3. Economy of Mechanism
This principle emphasizes keeping the design as simple and minimal as possible. The goaewel is to reduce complexity to minimize the chance of failure and to improve reliability.
Systems with fewer parts or simpler designs are typically easier to maintain and more robust.
4. Physiological Acceptability
This principle refers to ensuring that a system is designed with the user’s physical and psychological needs in mind. In human-centered design, this involves understanding the user’s limitations (like cognitive load, ergonomics, or emotional response) to create systems that are both usable and comfortable.
Physiological acceptability can be critical in fields like medical devices, aviation, and automotive design, where human operators need to interact with machines.
FIREWALLS:
1. Packet-Filtering Firewalls
How it works: Inspects packets of data to determine whether to allow or block them based on predefined rules (e.g., IP addresses, ports, and protocols). Inspects the packet headers of each incoming and outgoing network packet. Specifically, it checks the source IP address, destination IP address, source port, and destination port against a set of predefined rules. If a packet matches the allowed criteria (such as IP addresses and ports), it is allowed through; otherwise, it is blocked.
Strengths: Simple, fast, and low-resource usage.
Weaknesses: Can’t inspect the content of traffic or detect complex threats (e.g., application-layer attacks).
Use case: Suitable for small networks or simple security needs.
Which type of Firewall inspects the source and destination IP address and Port address (contained in the packet header) for every single packet that enters and leaves the network?
Stateful Firewall
Packet Filtering Firewall
Circuit Level Gateway
Application Firewall
2. Stateful Inspection Firewalls
How it works: Tracks the state of active connections and makes decisions based on the context (e.g., whether the packet is part of an established session). Allows the firewall to monitor and record the state of network connections (like TCP handshakes) and ensures that incoming packets are part of a legitimate, established communication session.
Strengths: More secure than packet filtering, as it understands the context of traffic.
Weaknesses: Slightly slower than packet-filtering firewalls due to connection tracking.
Use case: Common in enterprise environments where more comprehensive traffic analysis is needed.
A stateful firewall uses Stateful Packet Inspection to protect the network. How does this type of firewall operate?(2.5 Points)
A stateful firewall inspects the network traffic's payload to prevent attacks
A stateful firewall makes requests on behalf of other systems on a Network
A stateful firewall that compares all inbound traffic to ensure there is a prior outbound request.
A stateful firewall compares IP addresses to a to a set of static rules
3. Proxy Firewalls (Application Firewalls)
How it works: Acts as an intermediary between the client and the server. The firewall makes requests on behalf of the client and returns the response, effectively hiding the internal network.
Strengths: Can inspect traffic at the application layer, offering detailed control and protection against application-layer attacks.
Weaknesses: Can introduce latency and requires more resources.
Use case: Ideal for protecting internal networks from high-risk applications like web traffic or email.
4. Next-Generation Firewalls (NGFW)
How it works: Combines traditional firewall capabilities (packet filtering, stateful inspection) with advanced features like deep packet inspection (DPI), intrusion prevention systems (IPS), and application awareness.
Strengths: Offers comprehensive security by identifying and blocking sophisticated threats such as malware and advanced persistent threats (APTs).
Weaknesses: Can be resource-intensive and more expensive.
Use case: Best for organizations that require advanced, multi-layered security, such as large enterprises.
5. Web Application Firewalls (WAF)
How it works: Specifically designed to protect web applications by filtering and monitoring HTTP/HTTPS traffic between the application and the internet.
Strengths: Protects against web-specific attacks like SQL injection, cross-site scripting (XSS), and DDoS attacks.
Weaknesses: Focused only on web applications, so it doesn't protect other types of traffic.
Use case: Essential for protecting e-commerce platforms, banking apps, and any service relying heavily on web applications.
6. Circuit-Level Gateways
How it works: Monitors the TCP handshake to ensure a valid session before allowing traffic. Operates at the transport layer (Layer 4) of the OSI model.
Strengths: Efficient and less resource-intensive compared to deep packet inspection.
Weaknesses: Less secure than application-layer firewalls, as it doesn’t analyze the content of the traffic.
Use case: Often used in scenarios where lower latency is needed but without a high security requirement.
7. Host-Based Firewalls
How it works: Installed on individual devices (like computers or servers), this firewall monitors and controls inbound and outbound traffic specific to that host.
Strengths: Provides protection at the device level, offering more granular control over traffic.
Weaknesses: Doesn’t provide network-wide protection, and must be configured and managed on each individual host.
Use case: Useful for endpoint security, such as on laptops, mobile devices, or servers.
8. Cloud Firewalls (Firewall-as-a-Service)
How it works: Hosted in the cloud, these firewalls provide perimeter security for cloud-based infrastructure. They can be configured and managed remotely.
Strengths: Scalable, easy to deploy, and effective for organizations that use cloud services.
Weaknesses: May depend on the cloud provider’s security practices, and potentially less control over configuration compared to on-premises firewalls.
Use case: Ideal for businesses with cloud-based applications and infrastructure
Zero Trust is a cybersecurity model based on the principle of "never trust, always verify." It assumes that threats could exist both inside and outside an organization's network, and thus, no one (whether inside or outside) should be automatically trusted. Instead, every user, device, application, or system attempting to access resources must be continuously verified before being granted access
THE AAA TRIAD
1. Authentication
Definition: The process of verifying the identity of a user, device, or system.
Goal: Ensure that the entity requesting access is who they claim to be.
How it works:
Typically involves checking credentials (like username/password, biometric data, smartcards, or multi-factor authentication).
Once authentication is successful, the system can proceed with authorization and accounting.
Example: Logging in to an online account with a username and password.
2. Authorization
Definition: The process of granting or denying access to resources based on the authenticated entity's permissions.
Goal: Ensure that authenticated users or devices can only access resources they are allowed to.
How it works:
Once a user’s identity is verified, authorization determines what they can do (e.g., read, write, modify, or delete data).
This typically relies on access control lists (ACLs), role-based access control (RBAC), or other permission models.
Example: After logging in, a user is authorized to access only certain files or applications, based on their role (e.g., an admin vs a regular user).
3. Accounting (or Auditing)
Definition: The process of tracking and recording user activities during and after authentication.
Goal: Provide a record of what actions were performed, by whom, and when. This is essential for auditing, monitoring, and compliance purposes.
How it works:
Logs are generated for actions like file accesses, login attempts, data modifications, and resource usage.
These logs help in detecting suspicious behavior, troubleshooting issues, and ensuring compliance with regulations.
Example: Keeping track of which user accessed which resources at what time, and whether any unauthorized activities occurred.
1. Discretionary Access Control (DAC):
Definition: In DAC, the owner of the resource (such as a file or directory) has full control over who can access it and what kind of access (read, write, execute) they can have. The owner can grant or revoke access to others at their discretion.
Key Characteristics:
Ownership of resources is granted to users, and the owner decides who can access them.
Access permissions can be inherited or explicitly set.
Typically implemented in systems like UNIX, where users can set file permissions.
Example: A user on a file system may set the permissions on a document to allow others to read or modify it.
2. Role-Based Access Control (RBAC):
Definition: RBAC assigns permissions based on roles within an organization, rather than to individual users. Users are assigned to roles, and roles have certain access rights. This model simplifies permission management and enforces the principle of least privilege.
Key Characteristics:
Roles are created based on job functions (e.g., "admin", "manager", "employee").
Users are assigned to roles, and the roles dictate what actions they can perform.
Easier to manage in large organizations because access rights are associated with roles, not individual users.
Example: An employee assigned to the "Manager" role can access certain resources that employees in the "Staff" role cannot.
3. Rule-Based Access Control (RBAC):
Definition: Rule-Based Access Control uses a set of rules (policies) to define access. These rules are often based on predefined conditions, such as time of day, location, or network address. The rules specify who can access a resource and under what circumstances.
Key Characteristics:
Access is granted based on specific rules rather than roles or ownership.
Rules can include factors like user group, IP address, or time of day.
Common in firewalls or systems requiring dynamic control over access.
Example: A system might allow access to sensitive data only during business hours or only from a particular IP range.
4. Attribute-Based Access Control (ABAC):
Definition: ABAC grants access based on attributes of the user, the resource, and the environment. Attributes can be dynamic and context-specific, providing a more granular and flexible way to control access.
Key Characteristics:
Access decisions are based on a combination of attributes (e.g., user’s department, the resource's classification, current time).
Policies are more complex, using attributes like user roles, security clearance, location, device type, etc.
Highly flexible and suitable for complex systems or dynamic environments.
Example: A user with the role of "HR Manager" and a clearance level of "Top Secret" might be allowed to access certain sensitive HR data, but only from a corporate device and during business hours.
Comparison:
CYBER ATTACKS
***Ping Flood vs. Smurf Attack: Both attacks use ICMP and cause DoS, but in a Smurf Attack, the attacker uses broadcast addresses and IP spoofing to amplify the attack, whereas a Ping Flood sends direct pings to the victim, typically without amplification.***
WIFI PROTOCOLS
WEP, WPA, WPA2, and WPA3 are all Wi-Fi security protocols designed to protect wireless networks. These protocols aim to provide encryption and authentication to prevent unauthorized access to Wi-Fi networks.:
1. WEP (Wired Equivalent Privacy)
Released: 1997
Encryption Type: RC4 (Rivest Cipher 4)
Key Length: 40-bit or 104-bit (plus a 24-bit initialization vector)
Security Level: Low
Weaknesses:
WEP was the original Wi-Fi security standard, but it is now considered obsolete and insecure.
The 24-bit initialization vector (IV) is too short, making it vulnerable to replay attacks and key cracking.
Easily cracked with modern tools, so it’s not recommended for any serious security use.
2. WPA (Wi-Fi Protected Access)
Released: 2003
Encryption Type: TKIP (Temporal Key Integrity Protocol)
Key Length: 128-bit
Security Level: Moderate
Improvements Over WEP:
WPA improved upon WEP by using TKIP, which dynamically changes the encryption keys during transmission to prevent key reuse (a major weakness in WEP).
WPA uses 802.1X for user authentication (in enterprise mode), but WPA-Personal uses a pre-shared key (PSK).
Weaknesses:
WPA is stronger than WEP but is still vulnerable to certain attacks, especially in WPA-Personal mode.
As of now, WPA is also considered obsolete and should not be used due to security vulnerabilities.
3. WPA2 (Wi-Fi Protected Access II)
Released: 2004
Encryption Type: AES (Advanced Encryption Standard)
Key Length: 128-bit (or higher, depending on configuration)
Security Level: Strong
Improvements Over WPA:
WPA2 uses AES for encryption instead of the older TKIP, which is much more secure and resistant to attacks.
WPA2 also introduced mandatory CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) for enhanced security.
It has two modes: WPA2-Personal (uses a pre-shared key, PSK) and WPA2-Enterprise (uses 802.1X authentication for greater security).
Weaknesses:
While WPA2 is much more secure than WEP and WPA, it still has some vulnerabilities (e.g., KRACK attacks, discovered in 2017, which targeted vulnerabilities in the handshake process).
4. WPA3 (Wi-Fi Protected Access III)
Released: 2018
Encryption Type: AES with a more robust encryption mechanism
Security Level: Very Strong
Improvements Over WPA2:
Stronger encryption: WPA3 uses stronger 192-bit encryption in WPA3-Enterprise and 128-bit encryption in WPA3-Personal, making it more resistant to brute-force attacks.
Improved handshake protocol: WPA3 replaces the WPA2 4-way handshake with a more secure method that prevents offline dictionary attacks, and incorporates Simultaneous Authentication of Equals (SAE), a more secure method for key exchange.
Forward secrecy: Even if an attacker captures the traffic, they won't be able to decrypt it later, ensuring better protection of sensitive data.
Protection for open networks: WPA3 introduces Opportunistic Wireless Encryption (OWE) to provide encryption on open (unencrypted) networks.
Improved protection against brute-force attacks due to more complex cryptographic protections.
Weaknesses:
Device Compatibility: WPA3 adoption is still in progress, and not all older devices support WPA3, although many modern devices are starting to include it.
Summary of Key Differences:
Conclusion:
WEP is outdated and should never be used.
WPA2 is still widely used and provides strong security for most environments.
WPA3 is the latest and most secure option, offering improved protections and features to defend against modern threats.
PIPEDA stands for the Personal Information Protection and Electronic Documents Act. It is a Canadian federal privacy law that governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities.
Purpose: PIPEDA aims to protect the privacy of individuals by ensuring that their personal information is handled responsibly and in accordance with certain privacy principles. It also provides individuals with rights regarding their personal information, including access and correction rights.
Example of PIPEDA in Action:
The customers are informed about the purpose of data collection (e.g., processing orders).
The company obtains customer consent to use the data.
The data is stored securely and is only used for the intended purpose.
The customers can access their data and request corrections if necessary.
IDS VS IPS
IDS stands for Intrusion Detection System. It is a security technology used to monitor network traffic or system activities for suspicious behavior, potential threats, or violations of security policies. An IDS is designed to detect unauthorized access, attacks, or other malicious activities on a computer network or system. When a potential threat is identified, the IDS alerts administrators so they can take action.
Key Points about IDS:
Purpose: The primary goal of an IDS is to detect and respond to suspicious or malicious activity. This can include:
Unauthorized access attempts
Malware activity
Network intrusions or exploitation
Policy violations or misconfigurations
Types of IDS: There are two main types of IDS based on the source of monitoring:
Network-based IDS (NIDS): Monitors and analyzes network traffic for signs of malicious activity. It is typically deployed at network entry points (like firewalls or routers) to monitor all inbound and outbound traffic.
Host-based IDS (HIDS): Monitors activities on a specific host or system, such as files, processes, and system logs, to detect any unusual or unauthorized activity.
Detection Methods: IDS uses several methods to detect intrusions:
Signature-based Detection: Compares incoming traffic to a database of known attack patterns or "signatures". This method is good at detecting known threats but may miss new or unknown attacks.
Anomaly-based Detection: Establishes a baseline of normal network or system behavior and alerts when deviations from this baseline occur. This approach is useful for detecting unknown or novel attacks but can result in higher false positives.
Hybrid Detection: Combines both signature-based and anomaly-based methods to detect both known and unknown threats.
Action Taken by IDS:
An IDS typically alerts security administrators when it detects suspicious activity but does not block or prevent the attack itself. This is in contrast to an Intrusion Prevention System (IPS), which can take automated actions (e.g., blocking the malicious traffic).
Some IDS implementations can log suspicious events for further investigation or forensic analysis.
IDS vs. IPS:
IDS (Intrusion Detection System): Focuses on detecting and alerting on suspicious activity. It is a passive system that provides information about potential threats.
IPS (Intrusion Prevention System): Acts similarly to an IDS but also has the capability to block or mitigate potential threats automatically in real-time.
Example Use Cases:
Network Intrusion Detection: A network IDS might detect unusual traffic patterns, such as a large volume of requests from a single IP address that might indicate a Distributed Denial of Service (DDoS) attack.
Host Intrusion Detection: A host IDS might detect unauthorized file modifications, abnormal login activity, or the presence of malware on a server.
Key Features of an IDS:
Real-time Monitoring: IDS monitors activity continuously to detect potential threats as they happen.
Alerting: When suspicious activity is detected, IDS generates alerts to notify administrators.
Logging: IDS can log suspicious activities, creating a record for future analysis, auditing, or forensics.
Policy Enforcement: Some IDS can enforce security policies, such as detecting weak passwords or system misconfigurations.
Common IDS Tools:
Snort: A popular open-source IDS/IPS solution that uses both signature-based and anomaly-based detection techniques.
Suricata: Another open-source IDS that can also function as an IPS, and is often used for high-performance environments.
OSSEC: A host-based IDS that focuses on log analysis and integrity checking.
Example of IDS in Action:
Imagine a network where an IDS is monitoring for signs of a brute-force login attack. If a user repeatedly fails to authenticate within a short time frame, the IDS will flag this behavior as suspicious. It might then generate an alert to notify administrators of the potential attack, prompting them to investigate further or take preventive action (such as blocking the IP address).
The two main types of encryption are:
1. Symmetric Encryption
Definition: In symmetric encryption, the same key is used for both encryption (locking the data) and decryption (unlocking the data).
Key: The key must be kept secret, as anyone with access to the key can decrypt the data.
Speed: Generally faster than asymmetric encryption due to simpler algorithms.
Use Cases: Commonly used for bulk data encryption (e.g., encrypting files, database encryption, disk encryption).
Examples:
AES (Advanced Encryption Standard)
DES (Data Encryption Standard)
3DES (Triple DES)
Advantages:
Faster and more efficient for encrypting large amounts of data.
Strong encryption if the key is securely managed.
Disadvantages:
Key distribution and management can be a challenge, especially when communicating over insecure channels.
If the key is compromised, all data encrypted with that key is vulnerable.
2. Asymmetric Encryption
Definition: Asymmetric encryption uses two different keys — a public key (for encryption) and a private key (for decryption).
Key: The public key can be freely shared with anyone, while the private key must be kept secret.
Speed: Typically slower than symmetric encryption, as it involves more complex mathematical operations.
Use Cases: Often used for secure communication (e.g., email encryption, secure website connections) and digital signatures.
Examples:
RSA
Elliptic Curve Cryptography (ECC)
DSA (Digital Signature Algorithm)
Advantages:
Solves the key distribution problem: only the private key needs to be kept secret.
Provides digital signatures and authentication, allowing users to verify the identity of the sender.
Disadvantages:
Slower and more computationally intensive than symmetric encryption, making it less ideal for encrypting large data volumes.
Requires careful management of both keys to ensure security.
Summary of Differences:
1. Acceptable Use Policy (AUP)
Purpose: Defines acceptable behaviors and actions related to the use of an organization's IT resources, including computers, networks, internet access, email, and other technology.
Key Points:
Outlines what users can and cannot do with company resources (e.g., prohibiting illegal activities, accessing inappropriate content, or installing unauthorized software).
Sets expectations for employee behavior regarding security, privacy, and respect for others.
Often includes penalties or disciplinary actions for violations.
Goal: To ensure that employees and users understand the organization's expectations and that IT resources are used responsibly, securely, and in compliance with laws.
2. Security Awareness Policy
Purpose: Establishes guidelines for educating and training employees on security best practices and how to recognize and prevent security threats (such as phishing, malware, or social engineering).
Key Points:
Emphasizes the importance of safeguarding company data and IT systems.
Provides training on topics like password management, safe internet usage, recognizing phishing emails, and proper data handling.
Often includes regular refresher training or awareness campaigns.
Goal: To reduce the risk of security breaches caused by human error or ignorance, ensuring that employees are well-informed and proactive in protecting company assets.
3. Asset Management Policy
Purpose: Establishes the processes for identifying, tracking, and managing the organization's physical and digital assets (e.g., hardware, software, intellectual property, and data).
Key Points:
Defines how assets are inventoried, assigned, and tracked throughout their lifecycle (from acquisition to disposal).
Includes guidelines for asset classification, ownership, maintenance, and protection.
Ensures that assets are properly secured and protected against theft, loss, or unauthorized access.
Goal: To ensure that all assets are accounted for and managed properly to support operational effectiveness and protect the organization’s resources.
4. Asset Classification Policy
Purpose: Defines how to classify and categorize different types of assets based on their sensitivity, importance, or value to the organization.
Key Points:
Specifies different classification levels (e.g., public, internal, confidential, highly confidential).
Defines security controls for each classification level, such as who can access, modify, or share certain assets.
Helps in determining appropriate levels of protection for sensitive or critical information.
Goal: To ensure that sensitive data and assets are adequately protected by assigning security measures that are appropriate to their classification.
Summary Table
SSL/TLS Using Hybrid Encryption
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols used to secure communications over a computer network, most commonly used for securing websites via HTTPS. Both SSL and TLS employ hybrid encryption, which combines symmetric encryption and asymmetric encryption to provide both secure data transmission and efficient performance.
Hashing is used in SSL/TLS for ensuring data integrity. During the handshake, both the client and the server generate a hash of all the handshake messages. If the data is altered during transmission, the hash would not match, signaling potential tampering.
Common hashing algorithms used in SSL/TLS are SHA-256 and SHA-3.
NoteStudied by 13 peopleNoteStudied by 22 peopleNoteStudied by 3 peopleNoteStudied by 178 peopleNoteStudied by 55 peopleNoteStudied by 1 person