CCT 402 -1 Network Security

Administration
Unit 5
IDS types and detection models
• Network Intrusion Detection System
• NIDSs are beneficial because:
• They can analyze all inbound and outbound traffic
• They detect events in real-time, allowing for quick response times
• They’re more challenging for intruders to detect
• They can be strategically placed in critical areas

• However, NIDSs aren’t perfect. Potential downsides include:

• Hands-on maintenance – Because a NIDS is typically installed on a dedicated piece of
hardware, you may need to spend more time manually interacting with it.
• Low specificity – The more traffic a NIDS tool analyzes, the more likely it is to lack
specificity and miss signs of an intrusion.
• Network Node Intrusion Detection System
This differentiation comes with several benefits, such as:
• Higher speeds – Since the amount of traffic each NNIDS agent
analyzes is reduced, the system can work faster.
• Taking up fewer resources – In the same vein, NNIDS uses fewer
system resources. As such, you can easily install it on your current
servers.
• Host Intrusion Detection System

• A Host Intrusion Detection System (HIDS) takes the device independence of NNIDS one step further.
With a HIDS, you can install IDS software on every device connected to your network.
• HIDSs work by taking “snapshots” of their assigned device. By comparing the most recent snapshot
to past records, the HIDS can identify the differences that could indicate an intrusion.
• HIDSs are advantageous because:
• They can be installed on computers or servers
• They can pinpoint the affected device
• They notify administrators if analytical system files were modified or deleted
• They’re particularly effective against insider threats
• Unfortunately, HIDS solutions can suffer from “after-the-fact” monitoring. Because many HIDS
solutions rely on logs that record intrusions, your mean time to respond (MTTR) may be slower
overall. As such, proper use of an HIDS requires frequent monitoring
• Protocol-Based Intrusion Detection System
• A Protocol-Based Intrusion Detection System (PIDS) is a specific IDS that
monitors the protocol in use. In practice, this system typically analyzes the
HTTP or HTTPS protocol stream between your devices and the server.
• In most cases, a PIDS will go at the front end of a server. The system can
protect your web server by monitoring inbound and outbound traffic.
• Because they focus on the protocol (the way devices transmit information
within a network), PIDSs aren’t necessarily a comprehensive IDS solution.
However, they can augment an already robust cybersecurity solution.
• Application Protocol-Based Intrusion Detection System
• An Application Protocol-Based Intrusion Detection System (APIDS) is a type
of IDS that specializes in software app security. Typically associated with
host-based intrusion detection systems (HIDS), APIDSs monitor the
communications that occur between applications and the server. An APIDS is
typically installed on groups of servers.
• As with a PIDS, an APIDS is unlikely to solve all of your network monitoring
needs. Still, it can complement other types of IDS.
 Intrusion Detection System Methods
• Signature-Based Intrusion Detection
• Signature-Based Intrusion Detection Systems (SIDS) aim to identify
patterns and match them with known signs of intrusions.
• A SIDS relies on a database of previous intrusions. If activity within your
network matches the “signature” of an attack or breach from the database,
the detection system notifies your administrator.
• Since the database is the backbone of a SIDS solution, frequent database
updates are essential, as SIDS can only identify attacks it recognizes. As a
result, if your organization becomes the target of a never before
seen intrusion technique, no amount of database updates will protect you.
• Anomaly-Based Intrusion Detection
• On the other hand, an Anomaly-Based Intrusion Detection System
(AIDS) can identify these new zero-day intrusions.
• An SIDS uses machine learning (ML) and statistical data to create a model of
“normal” behavior. Anytime traffic deviates from this typical behavior, the
system flags it as suspicious.
• The primary issue with AIDS vs. SIDS is the potential for false positives.
After all, not all changes are the result of malicious activity; some are simply
indications of changes in organizational behavior. But because a SIDS has no
database of known attacks to reference, it may report any and all anomalies
as intrusions.
Hybrid Intrusion Detection
• A hybrid system combines the best of both worlds. By looking at
patterns and one-off events, a Hybrid Intrusion Detection system can flag
new and existing intrusion strategies.
• The only downside to a hybrid system is the even bigger uptick in flagged
issues. However, considering that the purpose of an IDS is to flag potential
intrusions, it’s hard to see this increase in flags as a negative.
Wireless IDS
 Take a tool example to understand
• https://en.kali.tools/?p=83
• Wireless IDS is an open source tool written in Python and work on Linux environment. This tool will sniff your surrounding air traffic for suspicious
activities such as WEP/WPA/WPS attacking packets. It do the following
• Detect mass deauthentication sent to client / access point which unreasonable amount indicate possible WPA attack for handshakes.
• Continual sending data to access point using broadcast MAC address which indicate a possibility of WEP attacks
• Unreasonable amount of communication between wireless client and access point using EAP authentication which indicate the possibility of WPS
bruteforce attack by Reaver / WPSCrack
• Detection of changes in connection to anther access point which may have the possibility of connection to Rogue AP (User needs to assess the
situation whether similar AP name)
• Detects possible Rogue Access Point responding to probe by wireless devices in the surrounding.
• Subsequent revision (Detection)
• Display similar Access Point's name (SSID) which could have the possibility of WiFi 'Evil Twins'.
• Display of probing SSID by wireless devices
• Detection of Korek Chopchop packets sent by Aircrack-NG (WEP attacks)
• Detection of Fragmentation PRGA packets sent by Aircrack-NG (WEP attacks)
• Detection of possible WPA Downgrade attack by MDK3
• Detection of possible Michael Shutdown exploitation (TKIP) by MDK3
• Detection of Beacon flooding by MDK3
• Detection of possible Authentication DoS by MDK3
• Detection of possible association flooding
• Detection of WPA Migration Attack by Aircrack-NG (WPA Attack)
• Subsequent revision (Functions)
• Allow logging of events to file.
• Allow disabling of displaying of probing devices
IPS
IDS Logging and Alerting
Take a tool example
IDS Logging and Alerting Standard Protocols while
implementation of IDS System for logging and
alerting
IDS deployment considerations
integrity and availability architecture
Protecting Against Loss of Integrity
• One of the common ways of ensuring integrity is with hashing. In short, a hash is a
number and a hashing algorithm can calculate a hash for a file or string of data. As
long as the data has not changed (and the same hashing algorithm is used), the hash
will always be the same. The two primary hashing algorithms used today are Message
Digest 5 (MD5) and Secure Hashing Algorithm 1 (SHA-1).
• As an example, if you calculate the hash of the phrase “ILoveSecurity” with the MD5
hashing algorithm it will always be E7F8B292F4F5C2F98E5DF1435EB73D1B. However,
if the phrase is slightly modified to “ILiveSecurity” (the “o” is change to an “i”) the hash
is 2F088A01343CFD65B7BC4EB050503CB7. By comparing the two hashes and seeing
that they are different, you know that the original data created by each of the two
hashes are different.
• One way hashes are used is by detection systems that calculate hashes of key files.
The detection systems later check these files to determine if the hash is the same. If
the hash has been modified, the file has lost integrity and is considered suspect.
Similarly, users can send messages with a digital signature. The hash is calculated
before the message is sent and the hash is sent with the message. The hash is
calculated again when the message is received and compared to the original hash. If
the hashes are different, the message has lost integrity. Even though a digital
signature has a primary goal of providing authentication and non-repudiation, it still
protects against loss of integrity.
Protecting Against Loss of Availability
• Primary methods that organizations use to protect against loss of availability are
fault tolerant systems, redundancies, and backups. Fault tolerance means that a
system can develop a fault, yet tolerate it and continue to operate. This is often
accomplished with redundant systems such as redundant drives or redundant
servers. Backups ensure that that important data is backed up and can be restored if
the original data becomes corrupt.
• Fault tolerance and redundancies can be implemented at multiple levels. For
example, RAID-1 is a mirror of two drives; if one drive fails, the other drive still holds
all the data. RAID-5 (striping with parity) uses three or more drives and uses parity to
recreate the data if any drive fails. RAID-10 combines the features of a RAID-1 with
the features of a RAID-0 array.
• You can add redundancies for servers by configuring them in a failover cluster.
Failover clusters include two or more nodes (servers within the cluster) and if any
node fails, other nodes can take over. This happens automatically with very little
impact on end users.
• Alternate sites can be used if a disaster takes down an entire location. A hot site is
up and operational with all the equipment and data needed to take over at a
moment’s notice. A cold site is an empty building with electricity and running water
but needs equipment and data to be moved to the alternate location before it can
be used. Hot sites are very expensive, and cold sites can take a long time to become
operational. A warm site strikes a balance between a cold site and a hot site
Patching
• Patch management is the process of distributing and applying updates to
software. These patches are often necessary to correct errors (also referred
to as “vulnerabilities” or “bugs”) in the software.

• Patch managers are important for the following key reasons:

Security: Patch management fixes vulnerabilities on your software and
applications that are susceptible to cyberattacks, helping your organization
reduce its security risk.

System uptime: Patch management ensures your software and applications

are kept up-to-date and run smoothly, supporting system uptime.

Compliance: With the continued rise in cyber-attacks, organizations are often

required by regulatory bodies to maintain a certain level of compliance. Patch
management is a necessary piece of adhering to compliance standards.

Feature improvements: Patch management can go beyond software bug fixes

to also include feature/functionality updates. Patches can be critical to
ensuring that you have the latest and greatest that a product has to offer.
Patch Management Program Benefits
• A more secure environment: When you’re regularly patching vulnerabilities,
you’re helping to manage and reduce the risk that exists in your environment.
This helps protect your organization from potential security breaches.

• Happy customers: If your organization sells a product or service that requires

customers to use your technology, you know how important it is that the
technology actually works. Patch management is the process of fixing
software bugs, which helps keep your systems up and running.

• No unnecessary fines: If your organization is not patching and, therefore, not

meeting compliance standards, you could be hit with some monetary fines
from regulatory bodies. Successful patch management ensures that you are
in compliance.

• Continued product innovation: You can implement patches to update your

technology with improved features and functionality. This can provide your
organization with a way to deploy your latest innovations to your software at
scale.
Standard Patch Management Practices to follow during implementation of patch
management system
• Some best practices to keep in mind when implementing patch management
include:
• Set clear expectations and hold teams accountable: Leveraging
organizational agreements, such as service-level agreements, can keep
teams in check, and ensure that the work of reducing risk is actually being
done.

• Work collaboratively with technical teams to ensure a common

language: Security teams often refer to software errors as a “risk,” whereas
IT/DevOps teams may use the term “patch.” Making sure that everyone is on
the same page and recognizes the importance of patching is key to a
successful patch management process.

• Establish a disaster recovery process: In case your patch management

process does fail and causes issues, it’s always a good idea to have a backup
plan.
backups
• Types of Backup :
1.Full Backup –
A full backup is a backup where every single file (including system and
user files) is written to backup media. Full backup does not check if a
file has changed since last backup it just blindly writes everything to
the backup media.
2.Incremental Backup –
It checks file modification time. If modification time is recent than its last
backup time, then it takes a backup otherwise not. Incremental backup
is also used with a full backup. It is faster than a full backup. A major
disadvantage with incremental backup is that it takes a longer time for
restoration. Incremental backups pose threat of operator error.
3. Differential Backup –
It contains all files modified since last full backup, making it possible to
perform a complete restoration with only last full backup and last
differential backup.
4. Network Backup –
It backing up a file system from one machine onto a backup device
connected to another machine. It is referred to as a remote or network
backup.

Data is life-blood of business and must be guarded against malicious

intent while in active state on production servers or preserved state on
tape.
Backup security measures are as follows :
• Assign accountability, responsibility, and authority –
Storage security function should be included in company’s security policy. Some companies
create a storage team for taking backup. Even after creating a separate team, company still
must integrate any storage and backup security measures with those that secure rest of
infrastructure It provides defense-in-depth protection. If data is highly sensitive, then duties
are divided into a number of working members.
• Assess storage risk as it pertains to information security –
Risk assessment is a structured and systematic procedure, which is dependent upon correct
identification of hazards. Managers must examine each step of their backup methodology
looking for
security vulnerabilities. lt is necessary to perform a risk analysis of entire backup process.
Many times data is duplicated throughout environment. It is important to have policies and
procedures that provide a good understanding of where data lives at any point in time.
• Develop an information protection program –
Multilayer data protection system is used for providing security to storage network.
Authentication, authorization, encryption, and auditing are examples of multilayer
protection system. Encrypt data as it’s stored to hard disk preventing even other people
with access to that system to access those files.
• Communicate processes around information protection and security –
Its time to define process to ensure that sensitive data is properly protected and handled. It
is important to ensure that people responsible for carrying out their security are informed
and trained. Security policies are most important aspect of assigning accountability,
responsibility, and authority.
System and Network Redundancy
What is Network Redundancy and its Benefits?
• Imagine having a highly reliable business with network availability and
connectivity with the Internet and its various locations. Then suddenly,
unplanned network outages occur that will surely affect the revenue of that
business in a bad way. Network redundancy addresses that kind of
curveball wherein the network is designed to react and restore network
services after serious downtime quickly.
• Network redundancy provides a network strategy and multiple fallback
plans in case a network failure occurs to keep services up and valuable data
flowing through the network. Redundant networks are synonymous with a
reliable network that will greatly benefit the customers.
• Having network redundancy implemented in the network also means that
various network devices and technologies are in place, which means having
redundancy also means having a complex network.
• The more complex the network design, the harder it is to understand, and it
also increases the risk of human errors and bugs in the software that may
cause new modes of failure. That is why it is very important to plan, design,
and implement network redundancy because once it is done, the benefits
outweigh the risks.
• Types of Network Redundancy or Standard Network Practices to follow during
implementation of Network Redundancy System
• Designing a redundant network requires a deep understanding of how to address
various types of challenges that the task requires. Below are several network
infrastructure design considerations that are taken into account to establish
network redundancy systems that act as a failsafe to ensure the continuity of
network services:

• Pathway Redundancy
• This redundancy emphasizes several alternate network paths for the information
within the network. If a link is down, there is an alternative way of reaching the
destination through established alternate routes, which is done by the network
devices, ensuring network availability.

• Power Redundancy
• Most network devices are dependent on electric power for them to function. That is
why having a backup power source in the location of your network devices may it
be a simple equipment room or a high-end data center, is a must. This ensures that
the worst-case scenario of a power outage can be addressed by power backup
systems, like having a generator on-site or a UPS, to ensure network service
continuity.
• Geographic Redundancy
• This redundancy ensures that if the main data center encounters a
severe outage like a city-wide blackout that lasts longer than the power
backup systems can provide an alternate data center in a different
location from the affected one can take over to ensure business
continuity.

• Data Redundancy
• Data redundancy is usually present together with at least one of the
redundancy types above because the data is considered one of the
most important assets of a business or organization. That is why
having backup data on a separate backup server or cloud is needed to
ensure that data is readily available despite any untoward downtime.
• Benefits of Network Redundancy
• Putting a network contingency in place enables the business to prevent revenue loss caused by unplanned
outages. Do note that even if the downtimes are unplanned, they can be mitigated with proactive solutions. Here
are several benefits of having extensive backup systems in your entire network:

• Uptime
• 24/7 network availability is an obvious advantage of implementing redundant networks. This is important to
customers who rely upon 24-hour services such as hospitals and banks.

• Security
• IT security generally relies on redundancy to be qualified as effective. Redundant networks allow us to have
state-of-the-art security measures and the backing of successful compliance audits. With redundant networks,
downtime doesn’t leave your information vulnerable as team members work to isolate and resolve security
concerns.

• Latency
• Being able to have multiple paths to access the same location means that it will be less likely that you will
experience slow connections.

• Business Continuity
• The most important benefit of them all is keeping the business running and serving its customers. No matter
what catastrophe occurs, the network should have a disaster recovery and be able to serve its customers,
whether it be a major problem or a simple inconvenience.
Network-role based Security
• What is role-based access security?
• Role-based access security provides a user or device on the network with
the least amount of access to corporate resources to do its job, according
to its defined role.
• Role-based access security is key to adopting Zero Trust network
access. Zero Trust is a security model in which no device, user, or network
segment is inherently trustworthy and thus should be treated as a potential
threat.
• Why adopt role-based access security?
• New business models, such as hybrid work, are driving the need for
efficiency. At the same time, the proliferation of IoT (or unintelligent)
devices in the enterprise network are causing increased vulnerabilities. To
address the security requirements of decentralized, IoT-driven networks,
IT teams need solutions that enable more visibility, control, and
enforcement than legacy approaches, such as perimeter-based security,
typically offer.
• Role-based policies simplify the adoption of Zero Trust and SASE security
frameworks. Policy definitions can be carried across both wired and
wireless networks irrespective of geographic location or point of
connectivity to the network. Appropriate policies can follow users and
devices consistently as they travel throughout the enterprise, from campus
to branch to home office.
• What are role-based policies?
• Role-based policies are a newer way to define security policies.
Traditionally, location-/network-specific constructs such as IP addresses or
subnets defined security policies, but this can lead to complexity and
inflexibility in the network due to the lack of client mobility brought about
by these segmentation requirements. IT teams also miss the opportunity
for automation as they have to pre-provision the network based on these
VLANs and subnet constructs.
• Role-based policies allow access policy to be abstracted from the
underlying network infrastructure by assigning identity-based roles to
endpoints and users. These identities are derived either by authentication
via identity stores such as Active Directory, or by profiling how these
endpoints behave with Client Insights.
• How does role-based access security work?
• Role-based access security starts with roles. A role is a logical grouping of
clients with common permissions that include application access rights and
inter-user or device communication. Roles are built on the Zero Trust
Enforcement Model, where users and devices are denied access to other
devices and applications by default unless explicitly given permissions. Role-
based policies enable businesses to translate security intent to network
designs, abstracting the underlying complexities of the network. Those
policies are then enforced throughout the network, by either allowing or
blocking access.
• Is role-based access security the same as micro-segmentation?
• Micro-segmentation refers to limiting network access according to Zero Trust
security principles. Micro-segmentation is similar to role-based access
security in that entities are untrusted by default and least access is granted
according to an entity’s function. However, micro-segmentation commonly
relates to limiting network access for workloads in a data center. Role-based
access security — which relates to users and devices frequently found in
campuses and branches — complements micro-segmentation in non-data
center enterprise networks.
proxy servers
• A proxy server is a system or router that provides a gateway between users
and the internet. Therefore, it helps prevent cyber attackers from entering a
private network. It is a server, referred to as an “intermediary” because it goes
between end-users and the web pages they visit online.
• When a computer connects to the internet, it uses an IP address. This is similar
to your home’s street address, telling incoming data where to go and marking
outgoing data with a return address for other devices to authenticate. A proxy
server is essentially a computer on the internet that has an IP address of its
own.
• Proxy Servers and Network Security
• Proxies provide a valuable layer of security for your computer. They can be set up as
web filters or firewalls, protecting your computer from internet threats like malware.
• This extra security is also valuable when coupled with a secure web gateway or
other email security products. This way, you can filter traffic according to its level of
safety or how much traffic your network—or individual computers—can handle.
• How to use a proxy? Some people use proxies for personal purposes, such as hiding
their location while watching movies online, for example. For a company, however,
they can be used to accomplish several key tasks such as:
1.Improve security
2.Secure employees’ internet activity from people trying to snoop on them
3.Balance internet traffic to prevent crashes
4.Control the websites employees and staff access in the office
5.Save bandwidth by caching files or compressing incoming traffic
• Proxies come with several benefits that can give your business an advantage:
1.Enhanced security: Can act like a firewall between your systems and the internet.
Without them, hackers have easy access to your IP address, which they can use to
infiltrate your computer or network.
2.Private browsing, watching, listening, and shopping: Use different proxies to
help you avoid getting inundated with unwanted ads or the collection of IP-
specific data. With a proxy, site browsing is well-protected and impossible to
track.
3.Access to location-specific content: You can designate a proxy server with an
address associated with another country. You can, in effect, make it look like you
are in that country and gain full access to all the content computers in that
country are allowed to interact with. For example, the technology can allow you
to open location-restricted websites by using local IP addresses of the location
you want to appear to be in.
4.Prevent employees from browsing inappropriate or distracting sites: You can
use it to block access to websites that run contrary to your organization’s
principles. Also, you can block sites that typically end up distracting employees
from important tasks. Some organizations block social media sites like Facebook
and others to remove time-wasting temptations.
Credit card security
• Credit card encryption is a security measure intended to reduce the likelihood
of credit card information being stolen.
• Encryption makes it extremely difficult to access that information without the
corresponding encryption key.
• The small, square microchips on many credit cards today, known as EMV
chips, make use of encryption technology.
• EMV chips have proven to be more secure than the older magnetic stripe
technology, although many cards today still carry both.
• How Credit Card Encryption Works
• When a credit card holder uses an encrypted card to make a purchase, their account number and
other important information is scrambled by an algorithm. The intent is to make it impossible for
anyone to obtain that information without the corresponding encryption key.
• Card issuers can use a variety of methods to encrypt their cards. The most prominent system in
use today involves a small, square microchip known as an EMV chip embedded in the physical
credit card. While today's credit cards often have both chips on their front side and magnetic
stripes on the back (giving the cardholder the option to dip, slide, or tap their card at a credit card
terminal), the older stripe technology is more vulnerable to theft, through a process known
as skimming.
• In skimming, thieves would often insert devices known as skimmers on ATMs and gas station
pumps, which could read the information on the stripe and either store it for later retrieval or
transmit it wirelessly to the criminals. They could then use it to create duplicate cards and charge
purchases to the unsuspecting cardholder's account. According to the FBI, skimming cost financial
institutions and consumers $1 billion a year.
• While not invulnerable to skimming, or a related technique known as shimming, chip technology
makes it far more difficult. EMV chips (EMV stands for Europay, Mastercard, and Visa, three
companies behind its launch) were in wide use in Europe by the early 2000s but proved slower to
catch on in the United States.According to EMVCo, the industry organization that oversees the
technology, "At the end of 2021, 12 billion EMV chip cards were in global circulation."
• How Effective Is Credit Card Encryption?
• Because of encryption, today's credit cards are much less vulnerable to fraud
than those of years past.
• However, while chip technology has been relatively effective in thwarting
skimming, it has still left cards vulnerable to theft by other means, such as in
online transactions where the customer simply supplies their number and the
chip is not involved, sometimes referred to as a "card-not-present" transaction.
• For such transactions, online merchants will often request the card's CVV (for
card verification value) or CID (for card identification) code, a separate three- or
four-digit number on the front or back of the card (and also encoded in the
chip). That provides some additional security because thieves who have
obtained the card number but not the physical card will be unable to supply it if
they're asked to.
Standard Protocols for implementation of
Credit Card Security
1. PCI DSS Compliance
• Any company that processes credit or debit card purchases must comply
with the international rules and regulations stated in the Payment Card
Industry Data Security Standard (PCI DSS). The main role of the PCI
DSS is to provide businesses with a standardized approach to rigorous,
secure transaction processes while retaining a smooth customer
experience.
2. SSL and TLS protocols
• Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols encrypt the
online connection between the browser and the server, creating end-to-end protection for sensitive
information. These security measures ensure the secure transmission of customer data collected by
a payment gateway.

3. 3D Secure
• 3D Secure (3-domain structure) or payer authentication, is a security feature that addresses issues of
fraud in online debit or credit card transactions. Customers are required to complete an extra step of
verification with their card issuer at checkout, engaging all three domains of payer authentication:
• The merchant/acquirer domain
• The issuer domain
• The interoperability domain
• The most recent iteration, 3D Secure 2, allows for different methods of verification other than a
password, including:
• 2FA (2 factor authentication): Using two different authentication factors, such as a username
and password combination and a phone.
• Biometric identification: fingerprint, face, or voice recognition.
• Risk-based authentication: a flexible approach to authentication, requiring different protocols
based on the customer’s risk profile.
• 4. Tokenization
• Tokenization secures customer payment details by replacing sensitive
data with a string of randomly generated numbers, referred to as a ‘token.’
The PCI DSS promotes the adoption of payment tokenization with good
reason.
• Tokens provide one-to-one replacements for primary account numbers kept
outside the merchant’s server. The merchant does not need to be
responsible for storing sensitive information, protecting the merchant and
customer against fraudulent activity.
• This extra layer of protection renders confidential information meaningless
and useless in a breach. If a hacker were to gain access to the tokens, their
efforts would be wasted because they would have no way to decrypt them.