COMPUTER SECURITY

NETWORK SECURITY
 INTRODUCTION
 Protecting the confidentiality of corporate information, preventing unauthorized access and defending the
network against attacks remain primary concerns of network security professionals today.
 What have changed are the precise areas of vulnerability that challenge today's networks - the different
levels of trusted users, the sophistication level and quantity of attacks, and the ease with which attacks
can be launched.
 Security professionals and analysts agree that their troubles have only just begun.
 Attacks that are increasing in number and sophistication are placing networks in an extremely vulnerable
position that will continue to be a challenge made worse by several key trends.
 A common way to understand the fundamentals of application security is to examine the Open Systems
Interconnection (OSI) model.
 This model involves seven layers – the physical layer, the data link layer, the network layer, the transport
layer, the session layer, the presentation layer and the aforementioned application layer. Optimal OSI
model security cannot be achieved if all layers are not safe.
 We will also throw in some crucial AppSec developer tips for each and every OSI model
layer.

Figure 1: OSI Model

 Implementing Security within the OSI Model

 The first three layers of the OSI model are media layers.

1) Physical Layer

 This layer defines the technical (electrical and physical) specifications of the data connection and
is responsible for the physical communication between the various end stations.

 Simple actions such as unplugging the power cord or disconnecting a network cable can cause
extreme damage (i.e. – Denial of Service).

 Security here is extremely crucial.

 Security Measure – Safeguarding this layer typically involves enhanced security surveillance
with Biometric authentication solutions, CCTV, IDS, IPS, Security guard, good locking, police
PROTOCOLS
 Bluetooth
 Wifi

Devices
 Nic
 Repeater
 Modem
 Transceiver
 Hub
2) Data Link Layer

 Often ignored by security professionals, this layer includes data packets that are to be
transported by the physical layer.

 Malfunctions and faults in this layer can impede the functionality of the network layer (the
third layer in the hierarchy).

 Vulnerabilities in this layer can include MAC address spoofing, ARP Poisoning and VLAN
circumvention.

 Security Measure – Common methods to protect this layer include MAC address filtering,
enable authentication and through evaluation of wireless applications, ensuring they have
built in encryption and authentication.
PROTOCOLS
 ARP
 PPP
 ETHERNET
 WIFI
 FRAME RELAY

DEVICES
 SWITCH
 ACCESS POINT
 BRIDGE
 NIC
3) Network Layer
 This layer, which is the third and last one that has a
correspondence to the physical/real world, revolves
around addressing, routing and controlling the data/traffic.
 Packet (IP Address) Spoofing, which is when inbound
malicious packets claim source addresses from within the
network, has become a real threat to application security.
 Security Measure – Strengthening the network layer
controls is the only way to secure the data/information.
 This means rigid anti-spoofing and route filters.
 Properly configured Firewalls are also needed.
 Devices
 Router
 Layer 3 switch

Protocols
 IP
 ICMP – ping, Tracert
 RARP, ARP
 IGMP
 Routing protocols e.g. RIP, OSPF, BGP, IGRP, IS-IS
ATTACKS
 IP address spoofing
 Mac address spoofing
 Tracert or Trace route – Discover topology of network by attacker
 DOS ATTACKS
- ICMP
- Ping flooding
- Ping of death
 The next four layers are host layers.

4) Transport Layer – The first logical layer in the OSI model, the transport layer transfers variable-
length data sequences.

 The good transport-layer protocol has to be reliable and has the mechanisms to ensure
segmentation/ desegmentation, along with good flow and error control.

 The Transmission Control Protocol (TCP) protocol is a commonly used one.

 Security Measure – Proper firewall implementation, limiting access to transmission protocols

and sub-protocol information (i.e. – TCP/UDP port number), is paramount to transport layer
security.

 UDP flood” is a type of Denial of Service (DoS) attack in which the attacker overwhelms random
ports on the targeted host with IP packets containing UDP datagrams. The receiving host checks
for applications associated with these datagrams and finding none sends back a “Destination
Unreachable” packet.
PROTOCOLS
 TCP
 UDP

DEVICES
 ROUTER
 LAYER 3 SWITCH
 ATTACKS
 UDP FLOODING
 SYN FLOODING, A DOS ATTACK, FROM TCP
- SYN
- SYN/ ACK
- ACK
5) Session Layer

 The session layer basically controls the inter-machine (computer) communication.

 It handles the interaction between the local and remote application – establishing,
managing and terminating the connection as per the need.

 But weak authentication mechanisms and being vulnerable to brute-force attacks are weak
points.

 Protocols include NetBIOS, PAP, ASP, L2F and L2TP.

 Security Measure – The best way to secure the session layer is to ensure encrypted
password exchange and storage, along with the limitation of failed session attempts via
timing mechanisms.
6) Presentation Layer

 As the name suggests, the presentation layer is responsible for the organization of data
transferred from the application layer onto the network.

 The layer standardizes data to and from the various local formats using various conversion
schemes. Unfortunately, poor handling of malicious input can lead to exploits and/or crashes.

 Security Measure – The most effective way to secure this layer is to separate user input from
the program control functions
7) Application Layer

 The application layer, which accommodates the user interface and other key functions, is the
closest OSI model layer to the user-end.

 This layer provides the hacker with the widest attack surface.

 When exploited, the entire application can be manipulated, user data can be stolen or in
some cases the network can be shut down completely (Denial of Service).

 Poor application code integrity and design flaws can cause a wide range of problems – from
performance/stability issues (bugs) to application layer vulnerabilities that can be exploited by
hackers.

 Traditional security methodologies, namely the Web Application Firewall (WAF), are no longer
effective as stand-alone solutions due to their inherited deficiencies.
OTHER PROTECTION
MECHANISMS ON
NETWORKS
 What is a Network Perimeter?
 A network perimeter is a boundary between the internal network and the
Internet.
 It is the edge of what a company has control over.
 In perspective, it’s like a virtual wall that allows and prevents specific aspects
based on rules and policies.
 Network Perimeter includes the following:

 Firewalls: A firewall can either be hardware, software, or both.

 It serves as the first line of defence in network security wherein it monitors

inbound and outbound network traffic and decides whether to block or allow
it based on security policies.
 Some types of firewalls include:

 Proxy firewall

 Stateful Inspection Firewall

 Unified Threat Management Firewall

 Virtual Firewall
 Border Routers: It’s a router deployed to monitor the network’s activity since they direct traffic
within, into, and out to the organization’s network.

 Through filtering, it often serves as the network’s first and last defence.

 Intrusion Detection System: The IDS detects and notifies your systems for any malicious
events or policy violations. An IDS can be host-based or network-based depending on its
environment.

i) Host-Based IDS: Designed for specific endpoint and protect it against internal and external
threats. A host-based IDS is limited only to its host machine, but it allows deep visibility to monitor
traffic to and from the machine.

ii) Network-Based IDS: Designed for monitoring an entire network.

 It provides wider visibility into the traffic flowing through the network and has the ability to
uncover extensive threats. However, this system doesn’t have deep visibility into the endpoints
they protect.
 Intrusion Prevention System: This system is designed to monitor
intrusions and prevent threats from developing.

 The system monitors your network continuously and scans for possible
risk to gather more information and administer the proper preventative
actions.

 This system can be used to identify violations against rules and policies.

 De-Militarized Zones: The purpose of DMZ is to enable access to

resources from the untrusted network while keeping the system or host on
an internal private network secure.

 Resources that are commonly placed within the DMZ are Mail servers,
FTP servers, Web servers, and VoIP servers.
Importance of Network Perimeter

 In today’s business environment, we rely heavily on our devices to stay connected and our
dependence on network security has increased due to the growing number of cyberattacks.

 However, as businesses expand, so are the location and the addition of devices and many
of which are being used outside the network perimeter, then, presents a problem when it
comes to security.

 Since most people can now work anywhere, data can be shared and collected on a
massive scale and the security team’s capacity to monitor all these data could be out of
control.

 The concept of network perimeter will allow your organization to think strategically about
how you can protect critical internal data from external threats.
 So, how can you secure your network perimeter?

Figure 1: Implementation for network perimeter

 1) Creating a Secure Network Perimeter

 The security of your network perimeter is an important defence to safeguard important data.

 Understanding that having multiple layers of security is important since threats and other
potential risks can evolve.

Here are some best practices:

 Strengthen device configurations and update software
 The first line of defense is to have a solid foundation or wall to prevent attackers from
penetrating the system.
 This typically includes network security devices such as firewalls, routers that serve as the
guard to your system.
 Each software, device, or operating system you are using to protect your network should be
kept up to date and properly configured.
 One frequent problem among organizations is being complacent with all the layers of security
they have but one misstep can already give a cybercriminal entry to your system.
 3) Segmenting the DMZ
 Firewall rules should be tightened to only allow traffic to necessary services within the DMZ,
so you need to configure the DMZ managed by the security system.

 One rule is to allow source IP addresses to specific servers and add proxies within the
network from which admins are allowed access.

 Also, consider segmenting systems within the DMZ to limit the effect if the system is
breached.

 The first step to protect your data is to secure your network perimeter effectively.
 A multi-level defence system is strongly recommended to reduce cyberattacks on your
internal network.
 If you want to check the efficiency and improve your network perimeter’s security,
 4) Data Backup and Recovery
 Backup and recovery describes the process of creating and storing copies of data that can be used
to protect organizations against data loss.
 This is sometimes referred to as operational recovery.

 A proper backup copy is stored in a separate system or medium, such as tape, from the primary
data to protect against the possibility of data loss due to primary hardware or software failure.
Why backup and recovery is important

 The purpose of the backup is to create a copy of data that can be recovered in the event of a
primary data failure.

 Primary data failures can be the result of hardware or software failure, data corruption, or a human-
caused event, such as a malicious attack (virus or malware), or accidental deletion of data.

 Backup copies allow data to be restored from an earlier point in time to help the business recover
from an unplanned event
 Storing the copy of the data on separate medium is critical to protect against primary data loss
or corruption.

 This additional medium can be as simple as an external drive or USB stick, or something more
substantial, such as a disk storage system, cloud storage container, or tape drive.
 The alternate medium can be in the same location as the primary data or at a remote location.
 The possibility of weather-related events may justify having copies of data at remote locations.

 For best results, backup copies are made on a consistent, regular basis to minimize the
amount data lost between backups.

 The more time passes between backup copies, the more potential for data loss when
recovering from a backup.

 Retaining multiple copies of data provides the insurance and flexibility to restore to a point in
time not affected by data corruption or malicious attacks.
 Recovery from a backup typically involves restoring the data to the
original location, or to an alternate location where it can be used in
place of the lost or damaged data.
 Some software used in data recovery include:
i) Recuva
ii) EaseUs
iii) M3
iv) RecoverMyFiles
v) Disk Drill
vi) Disk Internals Uneraser
vii) R - Studio
 5) USE OF VIRTUAL PRIVATE NETWORKS
 A VPN is an acronym for Virtual Private Network and describes the opportunity to establish a
protected network connection when using public networks.
 VPNs encrypt your internet traffic and disguise your online identity.
 This makes it more difficult for third parties to track your activities online and steal data.
 The encryption takes place in real time.
How does a VPN work?
 A VPN hides your IP address by letting the network redirect it through a specially configured
remote server run by a VPN host.
 This means that if you surf online with a VPN, the VPN server becomes the source of your data.
 This means your Internet Service Provider (ISP) and other third parties cannot see which
websites you visit or what data you send and receive online.
 A VPN works like a filter that turns all your data into "gibberish". Even if someone were to get
their hands on your data, it would be useless.
Benefits of a VPN
 A VPN connection disguises your data traffic online and protects it from external access.

 Unencrypted data can be viewed by anyone who has network access and wants to see it.
With a VPN, hackers and cyber criminals can’t decipher this data.
 Benefits include the following:
 Secure encryption
- Encryption of your IP address:
- Encryption of protocols:
 Disguising your whereabouts
 Access to regional content:
 Secure data transfer:
 Kill switch:
 Two-factor authentication:
 6) Network Segmentation

 Network segmentation defines boundaries between network segments where assets

within the group have a common function, risk or role within an organization.
 For instance, the perimeter gateway segments a company network from the
Internet.

 Potential threats outside the network are prevented, ensuring that an organization’s
sensitive data remains inside.

 Organizations can go further by defining additional internal boundaries within their

network, which can provide improved security and access control.
7) Zero Trust Network Access (ZTNA)

 The zero trust security model states that a user should only have the access
and permissions that they require to fulfill their role.

 This is a very different approach from that provided by traditional security

solutions, like VPNs, that grant a user full access to the target network.

 Zero trust network access (ZTNA) also known as software-defined perimeter

(SDP) solutions permits granular access to an organization’s applications
from users who require that access to perform their duties.
8) Sandboxing
 Sandboxing is a cybersecurity practice where you run code or open files in a safe,
isolated environment on a host machine that mimics end-user operating
environments.

 Sandboxing observes the files or code as they are opened and looks for malicious
behavior to prevent threats from getting on the network.

 For example malware in files such as PDF, Microsoft Word, Excel and PowerPoint
can be safely detected and blocked before the files reach an unsuspecting end user.
9) Cloud Network Security

 Applications and workloads are no longer exclusively hosted on-premises in a local

data center.

 Protecting the modern data center requires greater flexibility and innovation to keep
pace with the migration of application workloads to the cloud.

 Software-defined Networking (SDN) and Software-defined Wide Area Network (SD-

WAN) solutions enable network security solutions in private, public, hybrid and
cloud-hosted Firewall-as-a-Service (FWaaS) deployments
Security awareness training
 Security awareness training Even though most of us know how phishing works, it cannot be
considered common knowledge. Studies have shown that 1 out of every 14 users falls prey
to a phishing attempt.

 Providing employees with security awareness training ensures that they recognize a
phishing attempt when confronted with it. This goes a long way in protecting an organization
from a data breach

 Employees must be trained in new trending short courses through workshops or other
means.
 There are three (3) types of training, these include:
i) Vendor training
ii) Inhouse training
iii) Offsite training
 Use of Honeypots
What is a honeypot?
 A honeypot is a network-attached system set up as a decoy to lure cyber attackers and
detect, deflect and study hacking attempts to gain unauthorized access to information
systems.
 The function of a honeypot is to represent itself on the Internet as a potential target for
attackers, usually, a server or other high-value asset and to gather information and notify
defenders of any attempts to access the honeypot by unauthorized users.
 For example, a honeypot system might appear to respond to Server Message Block (SMB)
protocol requests used by the WannaCry ransomware attack and represent itself as an
enterprise database server storing consumer information.
Figure 2: Honeypots are placed at a point in the network where they appear
vulnerable and undefended, but they are actually isolated and monitored.
 Honeypot systems often use hardened operating systems (OSes) where extra security
measures have been taken to minimize their exposure to threats.
 They are usually configured so they appear to offer attackers exploitable vulnerabilities.
 Large enterprises and companies involved in cybersecurity research are common users of
honeypots to identify and defend against attacks from advanced persistent threat (APT)
actors.
 Honeypots are an important tool that large organizations use to mount an active defense
against attackers or for cybersecurity researchers who want to learn more about the tools
and techniques attackers use.
 The cost of maintaining a honeypot can be high, in part because of the specialized skills required to
implement and administer a system that appears to expose an organization's network resources, while
still preventing attackers from gaining access to any production systems.
 Honeypots are often placed in a demilitarized zone (DMZ) on the network.
 That approach keeps it isolated from the main production network, while still being a part of it.
 In the DMZ, a honeypot can be monitored from a distance while attackers access it, minimizing the risk of
the main network being breached.
 Honeypots may also be put outside the external firewall, facing the internet, to detect attempts to enter
the internal network.
 The exact placement of the honeypot varies depending on how elaborate it is, the traffic it aims to attract
and how close it is to sensitive resources inside the corporate network.
 No matter the placement, it will always have some degree of isolation from the production environment.
 END!
ANY QUESTIONS?