Terminologies related to Network Security Attacks
Asset – interests to an attacker and it can be a tangible or intangible resource of an organization with a monetary value, which an attacker targets, to gain control of it, compromise its security, etc. Example of Assets include Software, Systems, People, Data, Servers
Threat is a potential negative event that can cause damage to an asset. Examples of Threats: An attacker can steal sensitive data of an organization, An attacker can case server to shut down, An attacker can trick employee to reveal sensitive information, An attacker can infect system with malware.
Threat Sources landscape — Natural Fires, Floods, Power Failures, — Unintentional Unskilled administrators, Accidents, Lazy or untrained employees, —- Intentional, Internal Fired employee, disgruntled employee, service providers, contractors, External Hackers, Criminals, Terrorists, Foreign Intelligence agents, Corporate raiders
Threat actor is an individual or group that breaks into the system to achieve specific goal. Types of Threat Actors: Hacktivist – Individuals who promote a political agenda by hacking, especially by defacing or disabling websites. Cyber Terrorist’s – Individuals with a wide range of skills, motivated by religious or political beliefs, to create threats of large-scale disruption of computer networks. Suicide Hackers – Individuals who aim to bring down the critical infrastructure for a “cause” and are not deterred by jail terms or other kinds of punishment State-Sponsored Hackers – Individuals employed by the government to penetrate and gather top-secret information and to damage information systems of other governments. Organized Hackers — Professional hackers who attack a system for profits. Script Kiddies – An unskilled hacker who compromises systems by running scripts, tools, and software developed by actual hackers. Industrial Spies – Individuals who attempt to attack companies for commercial purposes Insider Threat – Threat that originates from people within the organization such as disgruntled employees, terminated employees, and undertrained staff.
Vulnerability – refers to the existence of weakness in an asst that can be exploited by threat agents. Common causes for the existence of vulnerability: Hardware of Software misconfiguration, Insecure or poor design of the network and application, Inherent technology weaknesses, Careless approach of end users.
Examples of network security vulns, TCP/IP protocol vulns – HTTP, FTP, ICMP, SNMP, SMTP are inherently insecure
OS vulns – it is inherently insecure, not patched.
Network devices vulns – various network devices such as routers, firewalls and switches can be vuln due to: Lack of password protections, lack of authentication, insecure routing protocols, firewal vulns
User accounts vulns, originating from the insecure transmission fo user account details such as username and passwords over the network,
System account vulns, origination from setting of weak passwords for system accounts,
Internet service misconfiguration – Misconfiguring internet services can pose serious security risks, For example, enabling JavaScript and misconfiguring IIS, Apache, FTP, and Terminal services, can create security vulnerabilities in the network.
Default password and settings – Leaving the network devices / products with their default passwrods and settings
Network devices misconfiguration – Misconfiguring the network devices
Unwritten Policy – Unwritten security policies are difficult to implement and enforce
Lack of Continuity – Lack of continuity in implementing and enforcing the security policy
Politics – Politics may cause challenges for implementation of a consistent security policy
Lack of awareness – Lack of awareness of the security policy
Risk
Risk refers to the potential loss or damage that can occur when a threat to an asset exists in the presence of a vulnerability that can be exploited.
Risks examples: Disruption or complete shuttin gdown of the business, Loss of privacy, Legal Liability, Loss of productivity, Data loss / theft, Reputation damage and loss of consumer confidence.
Representation of Risk is Risk = Asset + Threat + Vulnerability
An attack is an action initiated for exploiting one of more vulnerabilities to actualize a threat. Attack = Motive (Goal) + Methods (TTPs) + Vulnerability
A motive originates from the notion that the target system stores or processes something valuable, and this leads to a threat of an attack on the system.
Examples of Motives behind Cyber Attacks:
Disrupting business continuity, Information threat, Manupulating data, damaging reputation of the target, Creating fear and chaos by disruptiong critical infrastructures, Financial loss to the target, Propagating religious or political beliefs, Achieving state’s military objectives, Revenge, Demanding ransom
Methods (TTPs)
Attackers attempt to various attack techniques to exploit vulnerablities in a compueter system or security policy and controls to achieve their motives.
The terms Tactics, Techniques, and Procedures (TTPs) refer to the patterns of activities and methds of associated with specific threat actors or groups of threat actors.
Tactics is the defined as the strategy adopted by an attacker to perform the attack from the beginning to the end.
Techniques is defined as technical methods used by an attacker to achieve intermediate results during the attack.
Procedures is defined as a systematic approach adopted by threat actors to launch an attack.
Network-level Security Attacks
The exploitation of the target network begins with reconnaissance
In recon attacks, attackers attempt to discover information about the target network
Attackers can use following techniques to gather network about targets:
Social Engineering
Port Scanning
DNS Footprinting
Ping Sweeping.
Network information obtained using recon attacks:
Domain Name
Internal Domain Names
Network Blocks
Ip Addresses of the Reachable Systems
Rogue Websites / Private Websites
Open Ports
Versions of Running OSes
Running TCP and UDP Services
Access Control Mechanisms and ACLs
Networking Protocols
VPN Points
Running FIrewalls
Analog/Digital Telephone NUmbers
Authentication Mechanisms
System Enumeration
Network Sniffing Attack, sniffing is a process of monitoring and capturing all data packets passing through a given network using sniffing tools. Attackers use various sniffing utilities to sniff network traffic and gather sensitive information.
1. Man-in-the-Middle Attack
In this attack, the intruder deploys a station between the client and server a station between the client and server communication system to intercept messages being exchanged.
Attacker use different techniques to split the TCP connection into two connections. 1. Client to attacker connection. Attacker-to-server connection.
Interception of the TCP connection enables an attacker to read, modify, and insert fraudulent data into th intercepted communication
In the case of an HTTP transaction, the TCP connection between the client and the server is targeted.
2. Password Attack
An attacker attempts to exploit weaknesses to crack passwords
Use of common passwords make a system or application vulnerable to password cracking attacks. The most common passwords used are: password, pa$$w0rd, root, administrator, admin, Test, guest, qwerty, or personal information such as name, birthday, and names of childern.
Attackers use various techniques such as brute-force, social engineering, spoofing, phishing, malware, sniffing, and keylogging to acquire passwords.
Attackers begin by cracking passwords to trick network devices into assuming they are valid users.
3. Privilege Escalation Attack
An attacker can gain access to a network using a non-admin user account, and subsequently gain administrative privileges.
The attacker performs a privilege escalation attack, which exploits design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications.
The escalated privileges allow and attacker to view private information, delete files, or install malicious programs such as viruses, trojans, worms, etc.
Types of privilege escalation includes vertical privilege escalation – involves shifting from a user account to an account having higher privileges, Horizontal Privilege Escalation involves shifting from one user account to another user account having the same privileges.
4. DNS Poisoning Attack
Domain Name Server (DNS) poisoning is the unauthorized manipulation of IP addresses in the DNS cache.
The DNS stores domain name translation of IP addresses for network devices
A corrupted DNS redirects a user request to a maliouciou website to perform illegal activities
If a victim types ww.google.co, the request is redirect to the fake website www.google.com 28.21 image
5. ARP Poisoning Attack
Address Resoltion Protocol (ARP) is a protocol used for mapping an IP address to a physical machine address which is recognized in the local network
ARP spoffing/poisoning involves sending a large number of forged entries to the target machines ARP chase. 29.50 image
6. DHCP Starvation Attack
Dynamic Host Configuration Protocol (DHCP) is a configuration protocol that assigns valid IP addresses to host systems out of a pre-assigned DHCP pool.
DHCP starvation attack is a process of inundating DHCP servers with fake DHCP requests and using all the available IP addresses
This results in a denial-of-service attack, where the DHCP server cannot issue new IP addresses to genuine host requests
New clients cannot obtain access to the network, resulting in a DHCP starvation attack
7. DHCP Spoofing Attack
DHCP servers assign IP addresses to client dynamically
An attacker places a rogue DHCP server between the client and the real DHCP server
When a client sends a request, the attacker’s rogue server intercepts the communication and acts as a DHCP server byt replying with fake IP addresses. 32.43 image
DORA – DHCP Discovery from client broadcast, DHCP Offer from server broadcast, DHCP request from client broadcast, DHCP ACK from server.
By installing a rogue DHCP server, the attacker can send incorrect TCP/IP settings such as wrong default gatreway – attacker is the gateway, wrong DNS server, attacker is the DNS server, Wrong IP, DoS with spoofed IP
8. MAC Spoofing Attack
A MAC spoofing attack is launched by sniffing a network for MAC addresses of clients that are actively associated with a switch port, and re-using one of those addresses.
By intercepting the network traffic, the attacker replicates a legitimate user’s MAC address to receive all the traffic intended for the specific user.
This attack enables an attacker to gain access to the network by faking the identity of another person who is already the network.
Attacker sniffs the network for MAC addresses of the currently associated users and then uses one of those MAC addresses to attack other users associated to the same switch port.
9. Network-based Denial-of-Server Attack (DoS)
In network-based DoS attack, attacker sends a large amount of traffic to target network, thereby exhausting the victim’s connection resources.
Attacker does it by exploiting the existing implementation of network protocols.
Examples of OS-specific DoS attacker include:
TCP SYN Flooding, UDP Flodding, ICMP Smurf Flooding, Intermittent Flooding
10. Distributed Denial-of-Server Attack (DDoS)
DDoS attack involves a multide of compromised systems attacking a single target, thereby causing a denial of server for legitmate users.
DDoS attacks disable the entire network and hinder businsess operations causing financial loss and poor reputation.
An attacker uses botnets for exploiting vulnerabilities that exist in the target system and convert it to a bot master. This is used to infect the target with malware, or obtain control of other systems on the network.
2 types of DDoS, Network-centric attack: Overloads a service by consuming bandwidth. Application-centric attack: Overloads a server by inundating it with packets.
11. Malware Attack
Malware are software programs or malicious code that install on a system without the users knowledge.
A malware attack disrupts services, damages systems, gathers sensitive information, etc.
Examples of malware include viruses, trojans, adware, spyware, rootkits, and backdoors.
Virus – A self-replicating program that attaches itself to another program, computer boot sector, or a document.
Spyware – A piece of software code that extracts user information and send it to attackers.
Trojan – A program that appears to be legitimate or useful software but contains hidden and harmful code
Rootkit – A malicious software program that conceals certain activities from detection by the operating systems
Adware – A software program that tracks the users browsing patterns for marketing purposes and to display advertisements
Backdoor – A program that enables attackers to bypass authentication checks such as by gaining administrative privileges without passwords.
12. Advanced Persistent Threats (APTs)
An advanced Persistent Threat (APT) is defined as a type of network attack, in which an attacker gains unauthorized access to a target network and remiain there undetected for a long period of time.
The main objective behind these attacks is to obtain sensitive information rather than sabotaging the organization and organization network.
Information obtained during APT attacks
Classified documents
User credentials
Employee or customers personal information
Network information
Transaction Information
Credit card information
Organization business strategy information
Control system access information
208 days before being detected
Application-level attack techniques
- SQL Injection Attack
SQL injection attacks use a serious of malicious SQL queries to directly manipulate a database.
An attacker can use a vulnerable web application to bypass normal security measures and obtain direct access to valuable data
SQL injection attacks can often be executed from the address bar, from within application fields, and through queries and searches
This attack is possible only when the application executes dynamic SQL statements and stores procedures with arguments based on the user input.
47.56 image
2. Cross-site Scripting (XSS) Attack
Cross-site scripting (‘XSS’) attack exploit vulnerabilities in dynamically generated web pages, which enable malicious attackers to inject client-side script into web pages viewed by other users.
It occurs when invalidated input data is included in dynamic content that is sent to a user’s web browser for rendering
Attackers injects malicious JavaScript, VBScript, ActiveX, HTML, or Flash for execution on a victim system by hiding it within legitimate requests.
51.04 image
3. Parameter Tampering Attack
A web parameter tampering attack involves manupulation of parameters exchanged between client and server in order to modify application data such as user credentials and permissions, price, and quantity of products.
A parameter tampering attack exploits vulnerablities in integrity and logic validatoin mechanisms that may result in XSS, SQL Injection, etc.
52.19 image
4. Directory Traversal Attack
Directory traversal enables attackers to access restricted directories including application source code, configuration, and critical system files, and execute commands outside the webserver’s root directory.
Access of files located outside the web publishing directory using directory traversal
Attackers can manipulate variables that reference files with “do=dot-slash (,,.)” sequences and its variations
54.14 image
5. Cross-site Request Forgery (CSRF) Attack
Cross-site request forgery (CSRF) attacks exploit web page vulnerabilities that enable an attacker to force an unsuspecting user’s browser to send malicious requests
The victim user holds an active session with a trusted site and simultaneously visits a malicious site, which injects an HTTP request for the trusted site into the victim’s session, compromising its integrity
56.54 image
6. Application-level DoS Attack
Attackers exhaust available server resources by sending hundreds of resource-intensive requests such as retrieving large image files or requesting dynamic pages that require expensive search operations on the backend of database servers
Application-level DoS attacks emulate the same request syntax and network-level traffic characteristics as the of the legitimate clients, which makes it undetectable by existing DoS protection measures
Targets
CPU, Memory, and Sockets
Disk Bandwidth
Database Bandwidth
Worker Processes
Why are application vulnerable to DoS?
Reasonable User of Expectations
Application Environment Bottlenecks
Implementation Flaws
Poor Data Validation
7. Session Hijacking Attack
Session hijacking refers to an attack where an attacker takes over a valid TCP communication session between two computers
Attackers can sniff all the traffic from the established TCP sessions and perform identity theft, information theft, fraud, etc.
The attacker steals a valid session ID and uses it to authenticate them self with the server
social engineering attack techniques
Social engineer is the art of convincing people to reveal confidential information
Impersonation:
In this social engineering attack, the attacker pretends to be someone legitimate or an authorized person
Attackers may impersonate a legitimate or authorized person either in person or by using a communicaton medium such as phone, email, etc.
Impersonation enables attackers to trick a target into revealing sensitive information
Posing as a legitimate end user – Provide identity and ask for the sensitive information. ” Hi! This is John from finance department. Ihave forgotton my password. Can I get it?”
Posing as an important user – Posing as a VIP of a target company, valuable customer, etc. “Hi! This is Kevin, CFO Secretary. I’m owkring on an urgent prjoect and lost my system’s password. Can you help me out?”
Posing as a technical support – Call as technical support staff and request IDs and passwrods. “Sir, this is Mathew, technical support, X company. Last night we had a system crash here, and we are checking for the lost data. Can ou give me your ID and Password?”
Eavesdropping
Eavesdropping refers to unauthorized listening of conversations, or reading of messages
Interception of audio, video, or written communication
It can be conducted using communication channels such as telephones lines, email, and instant messaging.
Shoulder Surfing
Shoulder surfing uses direct observation techniques such as looking over someone’s shoulder to get information such as passwrods, PINs, and account numbers.
Shoulder surfing can also be conducted from a longer distance with the aid of vision enhancing devices such as binoculars that are quipped with the capability of obtaining long distance information.
Dumpster Diving
Dumpster diving is looking for sensitive information such as phone bills, contact information, financial information, and operations and related information, in someone’s trash
Piggybacking
An authorized person allows (intentionally or unintentionally) an unauthorized person to pass through a secre door.
Tailgating
An unauthorized person, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door requiring key access.
email attack techniques
Malicious Email Attachments
Email attachments are major security threats, as they may deliver malware such as viruses, worms, trojans, rootkits, and spyware to a victim computer when the victim opens them.
Malicious User Redirection
Emails may contain links, which on clicking may redirect the victim to websites hosting malware
Phishing
The attacker sends an email asking victim for personal / financial information along with a link similar to a genuine website
If victim clicks the link, enters details, and then click on “Submit” the information is sent to the attacker.
Spamming
Spam refers to unsolicited commercial advertisements distributed online. Spam often contains fake, unreliable, and worthless content.
Although email remains the most common way of sending spam, it can also be found in online message boards and chat rooms.
Spam continues to exist due to people who respond to them.
mobile device-specific attack techniques
Rooting and Jailbreaking
Rooting in Android Phones – rooting enables Android users to attain privileged control known as root access within androids subsystem. Rooting involves exploiting security vulnerabilities in the device firmware, and copying the su binary to a location in the current processes PATH (e.g. /system/xbin/su) and granting it executable permissions with the chmod command.
Jail breaking in iOS Phones – Jailbreaking is defined as the process of installing a modified set of kernel patches that enables users to run third-party application snot signed by the OS vendor. Jailbreaking provides root access to the operating system and permits downloading of third-party applications, themes, and extensions on iOS devices.
Uploading Malicious Apps in App Store
Insufficient or no vetting of apps leads to malicious and fake apps entering app marketplace
App stores are common targets for attackers to distribute malware and malicious apps
Attackers can social engineer users to download and run apps outside the official app stores
Malicious apps can damage other application and data, and send sensitive data to attackers
Mobile Spamming
Unsolicited text/email messages sent to mobile devices from known/unknown phone numbers/email IDs.
Spam message contain advertisements or malicious links that can trick users into revealing confidential information
Significant amount of bandwidth is wasted by spam messages
Spam attacks are conducted for financial gain
SMS Phishing Attack (SMSiShing)
SMS Phishing is the act of attempting to acquire personal and financial information by sending SMS (or IM) containing a deceptive link.
Why is SMS Phishing Effective?
Most users access the Internet through a mobile device
Easy to set up a mobile phishing campaign
Difficult to detect and stop before they cause harm
Mobile users are not accustomed to receiving spam text messages on their mobile
No mainstream mechanism for weeding out spam SMS
Most mobile anti-virus applications do not check the SMS
Bluebugging Attack
Mobile device pairing on open connections (public Wi-fi/unencrypted Wi-fi ) enables attackers to eavesdrop and intercept data transmission using techniques such as:
Bluesnarfing (Stealing information via Bluetooth)
Bluebugging (Gaining control over the device via Bluetooth)
Sharing data from malicious devices can infect/breach data on the recipient device
1.14.47 image
cloud specific attack techniques
- Data breach/loss
- Abuse and nefarious use of cloud services
- Insecure interfaces and APIs
- Insufficient due diligence
- Shared technology issues
- unknown risk profile
- Unsynchronized system clocks
- Inadequate infrastructure design and planning
- Conflicts between client hardening procedures and cloud environment
- Loss of operational and security logs
- Malicious insiders
- Illegal access to cloud systems
- Loss of business reputation due to co-tenant activities
- Privilege escalation
- Natural disasters
- Hardware failure
- Supply chain failure
- Modifying network traffic
- Isolation failure
- Cloud provider acquisition
- Management interface compromised
- Network management failure
- Authentication attacks
- VM-level attacks
- Lock-in
- Licensing risks
- Loss of governance
- Loss of encryption keys
- Risks from changes of jurisdiction
- undertaking malicious problems or scans
- Theft of computer equipment
- Cloud service termination or failure
- Subpoena and e-discovery
- Improper data handling and disposal
- Loss or modification of backup data
- Compliance risks
- Economic denial of sustainability (EDOS)
- Lack of security architecture
- Hijacking accounts
OWASP top 10 Cloud Security Risks
R1 – Accountability and Data Ownership – Using public cloud for hosting business services can cause severe risk for the recoverability of data
R2 – User Identity – Creating multiple user identities for different cloud providers makes it complex to manage multiple user IDs and credentials
R3 – Regulatory Compliance – Lack of transparency, and different regulatory laws in different countries
R4 – Business Continuity and Resiliency – Risk or monetary loss if the cloud provider handles business continuity improperly
R5 – User Privacy and Secondary Usage of Data – The default share feature in social websites can jeopardize the privacy of a users personal data
R6 – Service and Data integration – Unsecure data in transit is susceptible to eavesdropping and interception attacks
R7 – Multi Tenancy and Physical Security – Inadequate logical segregation may lead to tenants interfering with the security features of each other
R8 – Incidence Analysis and Forensic Support – Due to the distributed storage of logs across the cloud, law enforcing agencies may face challenges in forensics recovery
R9 – Infrastructure Security – Misconfiguration of infrastructure may allow network scanning for vulnerable applications and services
R10 – Non-Production Environment Exposure – Using non-production environments increases the risk of unauthorize access, information disclosure, and information modification.
wireless network attack techniques
War Driving – Attackers drive around with Wifi enabled laptops to detect open wireless networks
Client Misassociation – An attacker sets up a rogue access point outside the corporate perimeter and tricks employees to connect to it
Unauthorized Association – Attackers infect a victim machine and activate APs to provide them with an unauthorized connection to the enterprise network
Honeypot Access Point Attack – An attacker traps people by using fake APs
Rogue Access Point Attack – Rogue wireless access points placed in a 801.11 network can be used to hijack the connections of legitimate network users
Misconfigured Access Point Attack – Misconfigure access points enable intruders to steal the SSID giving them access to the network
Ad Hoc Connection Attack – Wi-Fi clients communicate directly via an ad hoc mode that does not require an AP to relay packets
AP MAC Spoofing – A hacker spoofs the MAC address of a WLAN client’s equipment to act as an authorized client and connects to the AP as the client and eavesdrop on the traffic.
Denial-of-Service Attacks – Wireless DoS attacks disrupt network wireless connection by sending broadcast “de-authenticate” commands
WPA-PSK Cracking – Attackers sniff and capture authentication packets and run a brute force attack to crack the WPA-PSK key
RADIUS Replay – Attackers replay the valid RADIUS server response and successfully authenticate to the client without valid credentials
MAC Spoofing Attack – An attacker spoofs the MAC of a client and attempts to authenticate to the AP, which leas to the updating of the MAC address info in the network routers and switches
WEP Cracking – Attackers sniff and capture packets and run a WEP cracking program to obtain the WEP key
Man-in-the-middle Attack – Attackers deploy a rogue AP, and spoofs the client’s MAC address to position themselves between the real AP and the Client to listen to the traffic.
Fragmentation Attack – Attackers obtain 1500 bytes of a pseudo random generation algorithm (PRGA) to generate forged WEP packets that are in turn used for various injection attacks.
Jamming Signal Attack – An attacker stakes out the area from a nearby location with a high gain amplifier, downing out the legitimate access point.
hacking methodologies and frameworks
Reconnaissance
Scanning
Gaining Access
Maintaining Access
Clearing Tracks
Lockheed Martins Cyber kill chain here
Recon – Gather data on the target to probe for weak points
Weaponization – Create a deliverable malicious payload using an exploit and a backdoor
Delivery – Send a weaponized bundle to the victim using email, USB, etc.
Exploitations – Exploit a vulnerability by executing code on the victim system
Installation – Install a malware on the target system
Command and Control – Create a command control channel to communicate and pass data back and forth
Actions and Objectives – perform actions to achieve intended objectives and goals
MITRE Attack Framework
attack.mitre.org
Understanding the tactics and techniques adopted by attackers is key to success
The ultimate goal of network defense is to protect an organizations information, systems, and network infrastructure from unauthorized access, misuse, modification, services denial, or any degradation and disruptions
Organizations rely on Information Assurance (IA) principles to attain defense-in-depth security
Information Assurance (IA) principles act as enablers for an organization’s security activities to protect and defend the organizational network from security attacks.
Confidentiality – Ensures information is not disclosed to unauthorized parties
Integrity = Ensures information is not modified or tampered with by unauthorized parties
Availability – Ensures information is available to authorized parties without any disruptions
Non-repudiation – Ensures that a party a communication cannot deny sending the message
Authentication – Ensures the identity of an individual is verified by the system or service.
Network Defense Benefits
Protect information assets
Comply with government and industry specifics regulations
Ensure secure communcation with clients and suppliers
Reduced the risk of being attacked
Gain competitive edge over competitors by providing more secure services.
Challenges
Distributed Competing Environments: With the advancement in modern technology and to meet business requirements, network are becoming vast and complex, potentially leading to serious security vulnerabilities. Attackers exploit exposed security vulnerabilities to compromised network security.
Emerging Threats: Potential threats to the network evolve each day. Network security attacks are becoming technically more sophisticated and better organized.
Lack of Network Security Skills: Organization are failing to defend themselves against rapidly increasing network attacks due to the lack of network security skills.
Explain Continual / Adaptive Security strategy
Computer network defense involves applying a set of rules, configurations, processes, and measure to protect the integrity, confidentiality and availability of the network’s information systems and resources.
Network security approaches, Preventive approaches – consist of methods or techniques that are used to avoid threats or attacks on the target network
Reactive approaches – consist of methods or techniques that are used to detect attacks on the target network
Retrospective Approaches – Consist of methods or techniques that examine the causes for attacks, and contain, remediate, eradicate, and recover from damage caused by the attack on the target network.
Proactive Approaches- Consist of methods or techniques that are used to make informed decisions on potential attacks in the future on the target network
Protect – This includes a set of prior countermeasure taken towards eliminating all the possible vulnerabilities of the network Protect endpoints, protect networks, protect data
Detect – This involves continuous monitoring of the network and identifying abnormalities and their origins. Continuous threat monitoring
Respond – This involves a set of actions taken to contain, eradicate, mitigate, and recover from the impact of attacks on the network. Incident Response
Predict – This involves identifying most likely attacks, target, and methods prior to materialization of a potential attack, Risks and Vuln assessment, attack surface analysis, threat intelligence
Administrative Security Control
The management implements administrative controls to ensure the safety of the organization
Regulatory framework Compliance
Employee Monitoring and Supervising
Security Policy
Informatoin Classificatoin
Security Awareness and Training
Physical Security
This is a set of security measures taken to prevent unauthorized access to physical devices
Fences
Locks
Badge System
Security guard
Biometrics system
Mantrap doors
Lighting
Motion detectors
Closed-circuit TVs
Alarms
Technical Security Controls
This is a set of security measures taken to protect data and systems from unauthorized personnel
Access Controls
Authenticatoin
Authorization
Auditing
Security Protocols
Network Security Devices
Technology, Operations and People
Appropriate selection of technology, well-defined operations, and skilled people are required for effective implementation of security strategies.
Technology
Selecting appropriate technology is crucial, as improper selection of technology can provide a flase sense of security.
Example questionnaire for facilitating appropriate selection of technology:
Which of Firewalls, IDS, antivirus, etc.., are required for the network?
Which type of encryption algorithm should b used?
Is a centralized or a distributed access mechanism more suitable for the network?
What type of password complexity should be adopted?
Should critical servers be placed on a separate segment?
Operations
Technological implementations are by themselves not sufficient, they should be supported by well-defined operations
Example of perations:
Creating and enforcing security policies
Creating and enforcing standard network operations procedures
Planning business continuity
Configuration control Managemnt
Creating and implementing incident response processes
Planning disaster recovery
Providing security awareness training
enforcing security as culture
People
Appropriate technology and well-defined operations cannot replace skilled people, who are required to implement the technology and managed well-defined operations.
Blue Team:
The people who are collectively responsible for developing effective network defense are generally part of the blue team.
The blue team is responsible for determining the overall adequacy of security measures. They examine the current security status and any security deficiencies existing in the network, and propose effective security measures to defend the network from various types of attacks.
Blue team includes network defenders such as network administrator, network security administrator / engineer, security analysts, network technicians, end users, and people involved in network security operations.
Multi layered Security – Defense-in-Depth
Data is utmost important and is at core for any organizations
Policies related to Internet access, acceptable-use, user-account, firewall, email security, passwords, physical security, BYOD. Compliance related to standards such as ISO/IEC 27001, PCI-DSS, HIPAA, etc.- Policies, Procedures, and Awareness
Physical locks, access controls ,security personnel, fire fighting systems, power supply, video surveillance, lighting, alarm, systems, etc.. – Physical
Servers, DNS, routers, firewalls, switches – Perimeter
Routers, servers, switches, firewalls – Internal Network
OS, antiviruses, patch management, passwords management, logging, etc.. – Host
Backlisting, whitelisting, patch management, password management, application configuration, firewalls, etc.. – Applications
Encryption, hashing, data access controls, data leakage prevention, data backup, data recovery, data retention, data disposal, etc. – Data
Organization should adopt defense-depth security strategy for effective protection of their information systems and resources
1.49.57 image
Summary
A threat is an act in which an adversary attempts to gain unauthorized access to an organization’s network by exploiting communcation paths
Intent, capability, and opportunity invariably exist behind the presence of a threat
Attackers follow various attack methodologies for the successful execution of an attack
Computer network defense includes a set of processes and protective measures adopted to defend the network against service or network denial, degradation, and disruption.
Blue team is collectively responsible for developing effective network defense
Organization must adopt continual security improvement and defense-in-depth security strategies for effective protection of their information systems and resources,