Chapter 01: Security Concepts
These days one of the most prominent topics in the news is network security or network attack. One after another, network has been compromising due to insufficient network security policies. But the question is; why network security is so important? Network security is directly related to the continuity of any organization’s business. These attacks can cause:
- Loss of business data in any organization
- Interrupt and misuse of people’s privacy
- Threaten and compromise the integrity of organization’s data
- Loss of organization’s reputation and more
Now days, however, people are becoming more aware about securing their devices connected to the public internet because of occurred events of data leakage, it’s alteration and misuse in a past few years. Network vulnerability and new methods of attack are growing day by day, hence the evolving techniques of making network more secured is growing.
Security is a broad topic that should be discussed in everything we design related to computer networking. Network security has been considered important for quite some time, especially for those of us whose entire career has been around the field of network security. There has been a massive increase in public awareness about securing their devices connected to public internet because of events of data stealth and leakage in a past few years.
As new vulnerabilities and new methods of attack exist, even the least technical users have the potential to create a devastating attack against an unprotected network. As we strive to empower employees around the world with ubiquitous access to important data, it is increasingly important to take measures for the protection of data and the entities using it.
We begin this chapter with the description of challenges of current security landscape as well as the primary goals of security.
Our security objectives are surrounding around these three basic concepts:
We want to make sure that our secret and sensitive data are secured. Confidentiality means that only authorized persons can discover our infrastructure’s digital resources. It also implies that unauthorized persons should not have any access or disclosure of the data. There are two types of data in general: data in motion as it moves across the network and data at rest, when data is in any media storage (such as servers, local hard drives, cloud). For data in motion, we need to make sure that the data is encrypted before sending it over the network. Another option we can use along with encryption is to use a separate network for sensitive data. For data at rest, we can apply encryption at storage media drive so that no one can read it in case of theft.
We do not want our data to be accessible or manipulated by some unauthorized persons. Data integrity ensures that only authorized parties can modify data. Integrity ensures the information received at the recipient’s end is exactly the information sent originally by the sender. This is the process to validate the message or communication between two end-users. If anyone alters the message by sniffing the packets, the integrity check value will notify that the communication has been modified. By the way, only authorized users are allowed to alter the message. Hash and Message authentication codes are used to validate the integrity of a message. Comparison of the received and calculated hash value determines if the communication has been altered or not.
Availability applies to systems, applications, services and data. If authorized persons are unable to access the data due to general network failure or denial-of-service (DOS) attack, it becomes a serious concern for the organization’s reputation, which leads to financial loss and recording of some important data.
We can use the term “CIA” to remember these basic yet most important security concepts.
|Confidentiality||Loss of privacy.
Unauthorized access to information.
|Encryption. Authentication. Access Control|
|Integrity||Information is no longer reliable or accurate. Fraud.||Maker/Checker. Quality Assurance.
|Availability||Business disruption. Loss of customer’s confidence. Loss of revenue.||Business continuity. Plans and test. Backup storage. Sufficient capacity.|
Table 1-01: Risk and Its Protection by Implementing CIA
Security Information Management (SIM) and Security Event Management (SEM) are evolved to form a by-product by the name of Security Information and Event Management (SIEM). In Network Security, SIEM technology allows you to get real-time visibility of all activities, threats and risks in your system, network, database and application.
- It provides a comprehensive and centralized view of an IT infrastructure.
- It provides real-time analysis of logs and security alerts generated by network hardware or application.
- It saves data for the long time, so the organizations can have a detailed report of the incident.
- SIEM provides details on the Cause of suspicious activity, which leads you to know “How that event occurred”, “Who is associated with that event”, “Was the user authorized for doing this”, etc.
SIEM products are either sold as software, as appliances or as managed services. The following diagram shows the basic features of SIEM products generally available in the market.
Figure 1-01: SIEM Components
Anything valuable to an organization is an Asset and it needs to be protected. It may vary from tangible items (people, computers etc.) to intangible items (some database information etc.). Required security level for a particular asset depends upon its value and nature. Information that should be publically accessible does not require enough security implementations as compared to the personal records of customers or employees of an organization that should be kept secured and private. Definitely, the required level of security of secret and confidential information is always higher.
Asset is something, which is directly or indirectly related to the revenue of an organization. Classification of assets helps to determine the precautions as per company’s policy. For example, any confidential and sensitive data needs to be sent over VPN (Virtual Private Network) tunnel instead of directly communicating on a public network. Classifying data not only saves time but efficiently identify how to deal with that type of an asset.
For example, purchasing an asset for $400 and then spending $3,000 for its security does not make any sense. At the same time, accepting the full risk is also not a good idea. Hence, we can reduce the risk by spending money on security measures that seems important to specific environment. We can never claim to have eliminated the risk, thus we need to find the balance.
Classifying vulnerabilities that how threatening it is or how it would impact the system helps in identifying its impact on system. Cisco and other security vendors have created databases known as The Common Vulnerabilities and Exposures (CVE) that categorizes the threats over the internet. It can be searched via any search engine available today. The following are few of the important reasons, through which vulnerability can exist in the system:
- Policy flaws
- Design errors
- Protocol weaknesses
- Software vulnerabilities
- Human factors
- Malicious software
- Hardware vulnerabilities
- Physical access to network resources
A “threat” indicates the involvement of an attacker with potentially harmful intentions. A threat is any danger from an attacker to an asset. The presence of vulnerability in a system results in a threat. The entity that uses the vulnerability to attack a system is known as malicious actor and a path used by this entity to launch attack is known as threat vector. Some of major threat classifications include:
User Identity Spoofing includes multiple techniques used to represent legitimate user information like GPS spoofing, email-address spoofing and Caller-ID spoofing, which is used in Voice-over-IP.
Information Tampering includes threats that are related to the changing of information rather than stealing it. Like changing the financial records and transactions used in banks, criminal records, etc.
Data leakage involves stealing of critical data like organization’s patents etc.
Denial of Service (DoS) is a type of attack in which service offered by a system or a network is denied. Services may either be denied, reduce the functionality or prevent the access to the resources even to the legitimate users. There are several techniques to perform DoS attack such as generating a large number of requests to the targeted system for service. These large numbers of incoming requests overload the system capacity, which results in denial of service. Botnets and Zombies are the compromised systems, which are used for generating huge traffic for DDoS attack.
Figure 1-02: Denial-of-Service Attack
Common Symptoms of DoS attack are:
- Slow performance
- Increase in spam emails
- Unavailability of a resource
- Loss of access to a website
- Disconnection of a wireless or wired internet connection
- Denial of access to any internet service
- Elevation of privilege
This category contains threats of someone getting access to the organization’s digital records higher than its current security level. Like a user with user mode access on router may get Level 15 access by doing some kind of hit and trials with being noticed.
A countermeasure is an action that somehow mitigates or compensates a potential risk. It may completely remove the vulnerability or prevent the threat agent to exploit the risk.
As we have discussed some of the security terms above, now here are some more terminologies to mitigate or countermeasure these security threats. Classifying countermeasures helps in implementing the various methods used to mitigate the attack because of vulnerability in the system.
Countermeasures can be:
- Administrative: This may include written policies and procedures for users on the network. It may also include items like background checks of specific users.
- Physical: As name suggests, it involves the physical security of server rooms, network equipment, etc.
- Logical: It includes strong password schemes for end users accounts, using firewall, Access lists, VPN tunnels, etc.
- By applying all or some defined control sets may help detect, prevent or correct any vulnerability present in the system.
Mitigating Risk: We can deal with the risk in many ways. One way is to eliminate it. For example, by disconnecting a web server from the internet makes it completely safe from being attacked, but this solution may not work for business depending heavily on its servers over the internet.
If we continue searching the solution for the example above, another way is to transfer the risk to someone else. For example, instead of running our own web server, we can use the outsourcing facility provided by many service providers. In this case, it is the service provider’s responsibility to implement sufficient schemes to mitigate the attacks.
Loss of privacy
Damage to reputation
Loss of confidence
Loss of life
Table 1-02: Risks and Corresponding Threat
Security zone is a group of interfaces and are created to control the flow of traffic. Each zone is associated with a security level. The security level represents the level of trust, from low (0) to high (100). Usually, all traffic from the LAN zone (with a Trusted security level) to the WAN zone or internet (with an Untrusted security level) is allowed but traffic from the WAN or internet (Untrusted) zone to the LAN (Trusted) zone is blocked. Firewalls have features by which we can specify the permit or block action for specified services. Here are some security levels and pre-defined zones:
|Trusted (100)||Highest level of trust. By default, the DEFAULT VLAN is mapped to the pre-defined LAN zone. You can group one or more VLANs into a Trusted zone. Outbound traffic from LAN (Trusted) to Wan (Untrusted) is allowed, but inbound traffic from untrusted to trusted zone is blocked by default.||LAN|
|VPN (75)||Higher level of trust than a public zone (untrusted), but a lower level of trust than a trusted zone. This security level is used exclusively for VPN connections. All traffic is encrypted.||VPN
|Public (50)||Higher level of trust than a guest zone, but a lower level of trust than a VPN zone||DMZ|
|Guest (25)||Higher level of trust than an untrusted zone, but a lower level of trust than a public zone.||GUEST|
|Untrusted (0)||Lowest level of trust. By default, the WAN1 interface is mapped to the WAN zone. If you are using the secondary WAN (WAN2), you can map it to the WAN zone or any other untrusted zone.||WAN|
|Voice||Designed exclusively for voice traffic. Incoming and outgoing traffic is optimized for voice operations. For example, assign Cisco IP Phones to the VOICE zone.||VOICE|
Table 1-03: Network Security Zones
Reconnaissance is an initial preparing phase for the attacker to get ready for an attack by gathering the information about the target before launching an attack using different tools and techniques. Gathering of information about the target makes it easier for an attacker, even on a large scale. Similarly, in a large scale, it helps to identify the target range.
In Passive Reconnaissance, the hacker acquires the information about target without interacting with the target directly. An example of passive reconnaissance is public or social media searching for gaining information about the target.
Active Reconnaissance is gaining information by acquiring the target directly. Examples of active reconnaissance are via calls, emails, help desk or technical departments.
We can also call it as the discovery process. In this step, attacker tries to find out the exact IP addresses alive on a network and corresponding to opened TCP and UDP ports with these IP addresses.
A ping sweep is a tool, which can be used to mitigate reconnaissance attack. Reconnaissance attack is used to gather information about a network; network administrator can run ping sweep to identify if there is any unknown host is live in the network. A ping sweep is also referred to as an ICMP sweep, and it is a basic network monitoring and scanning technique used to determine live hosts within the range of IP addresses. Whereas, a pinging a particular host shows if the host is live and accessible. Basically, ping sweep analyses the response of the command i.e. an ICMP echo, from a series of live addresses to discover unauthorized or suspected hosts added to the network.
If ping sweep is being executed by a malicious host, it will easily get the view of all the live hosts running in a network and he can exploit this information.
Information gathering includes a collection of information about target using different platforms either by social engineering, internet surfing, etc. An attacker may use different tools, networking commands for extract information. An attacker may navigate to robot.txt file to extract information about internal files.
Here are some of the methods used worldwide while generating an attack:
Figure 1-04: Phases of Launching an Attack
Social Engineering in Information Security refers to the technique of psychological manipulation. This trick is used to gather information from different social networking and other platforms from people for fraud, hacking and getting information for being close to the target.
Social Networking is one of the best information sources among other sources. Different popular and most widely used social networking site has made quite easy to find someone, get to know about someone, including its basic personal information as well as some sensitive information. Advanced features on these social networking sites also provide up-to-date information. An example of footprinting through social networking sites can be finding someone on Facebook, Twitter, LinkedIn, Instagram and much more.
Figure 1-05: Social Networking Sites
Social Networking is not only a source of joy, but it also connects people personally, professionally and traditionally. Social Networking platforms can provide sufficient information of an individual by searching the target. Searching Social Networking for a person or an organization brings much information such as photo of the target, personal information and contact details, etc.
|What Users Do||Information||What attacker gets|
|People maintain their profile||
|People update their status||
Table 1-04: Social Engineering
Figure 1-06: Collection of Information from Social Networking
Profile picture can identify the target; the profile can gather personal information. By using this personal information, an attacker can create a fake profile with the same information. Posts that have location links, pictures and other location information help to identify target location. Timelines and stories can also reveal sensitive information. By gathering information of interest and activities, an attacker can join several groups and forums for more footprinting. Furthermore, skills, employment history, current employment (and much more) are the information that can be gathered easily and used for determining the type of business, technology, and platforms used by an organization. Usually, in the posts, people posting on these platforms never think twice of that what they are posting. Their posts may contain enough information for an attacker, or a piece of required information for an attacker to gain access to their system.
There, the hacker’s main focus is on the end user’s sensitive data and this can be achieved via some bogus e-mail, forcing end users to input corporate username and password or some kind of webpage misdirection.
Types of Social Engineering
Two major types of social engineering are Phishing and Pharming.
In the Phishing process, e-mails are sent to a targeted group containing an e-mail message body, which looks legitimate. The recipient clicks the link mentioned in the e-mail assuming it as a legitimate link. Once the reader clicks the link, he/she is enticed for providing information. It redirects users to the fake webpage that looks like an official website. For example, the recipient is redirected to a fake bank webpage, asking for sensitive information like username/password or some confidential information in that link.
Similarly, the redirected link may download any malicious script onto the recipient’s system to fetch information.
In Pharming, the user is directed from a valid URL to a malicious one, which looks exactly like a valid resource. It is then used to extract sensitive information from the user. Another type of social engineer attack is phone scams, although it is not very popular. Attackers try to call up an employee and use tricks to get as much corporate information as possible. An example of this type would be a fake recruiter asking for names, e-mail accounts, and phone numbers. Attacker can then use this information for future attacks and so forth.
The best way to protect employees from this type of attack is through consistent training. Employees must know the importance of the data they are dealing with regarding the company. Employees who already know about social engineering attacks and their role on corporate health can help employees to better deal with such situations. Standard Operation Procedures (SOP) regarding data and information security can also play an important role in this regard. Such SOPs may include, but not limited to, Strong Password Policy that include multiple character types and declaration to not to tell passwords to anyone, Classification of Data to make sure employees know which information is sensitive, Physical Security such as premises monitoring and background checks of employees. Use of Antivirus suites can also minimize phishing attacks to some extent. In order to have better protection, additional methods such as DNS protection and web browser protection must be implemented.
Figure 1-07: Social Engineering Mind Map
Privilege Escalation involves the process of what to do after gaining access to the target. There are still a lot of tasks to perform in Privilege Escalation. You may not always hack an admin account; sometimes, you have to compromise the user account, which has lower privileges. Using the compromised account with limited privilege will not help you to achieve your goals. Prior to anything after gaining access, you have to perform privilege escalation to complete your high-level access with no or limited restrictions.
Each Operating System comes with some default setting and user accounts such as administrator account, root account and guest account, etc. with default passwords. It is easy for an attacker to find vulnerabilities of pre-configured account in an operating system to exploit and gain access. These default settings and account must be secured and modified to prevent unauthorized access.
This is the process of gaining some level of access and then using different methods like brute-force attack to gain some high level of access. For example, a person with user mode access of router can use brute-force attack to gain level 15 access by cracking the enabled secret password.
Backdoors: When attackers successfully gain access to some system, they want to make future access as easy as possible. A backdoor application will be installed by using different techniques defined above to store confidential information, which can be retrieved by attacker when required.
Code Execution: This method is usually related with the activity of attacker after gaining access to the system and its impact on the system. It may have an impact on confidentiality, integrity or availability of the system and it depends on the level of access the attacker has gained and the code or piece of software he has used on the system.
Man-in-the-Middle Attacks: This happen when attackers break the normal link of communication between two nodes and act as a bridge between them. With the purpose of eavesdropping, it can occur at both TCP/IP Layer 2 and at Layer 3.
Attackers can use the concept of Address Resolution Protocol (ARP) Poisoning so that devices on LAN consider attacker’s MAC address to be the MAC address of the default gateway. Attackers send the traffic to correct destination so that the sender and receiver do not feel anything unusual happening between their sessions. In order to mitigate this attack, we need to enable Dynamic Address Resolution Protocol (ARP) Inspection (DAI) on switches.
To implement man-in-the-middle attack at Layer 3, attackers introduce a rouge router in network and make sure that other routers see this router as preferred path for destination routes. To stop such kind of attacks, we can use authentication for routing protocols used in network, use Access Lists to permit only required traffic etc.
To make our data more secure, we must use HTTPS instead of HTTP, which sends traffic in plain text. For accessing devices, we can use SSH instead of TELNET for a secured connection. Similarly, we must use VPNs for traffic to be sent between end-to-end nodes.
Sometimes, the intention of attackers can be to affect the availability of data or resource. Major types of such attacks include Denial of Service (DoS) and Botnet. Botnet, attackers can generate TCP SYN or ICMP echo requests to a particular destination from a group of already infected computers by using the concept of backdoors defined earlier. In Client/Server communication, every device has some limitation for incoming requests. When this limit is crossed, application running on that specific device will be unavailable to clients.
Denial of Service (DoS) and DDoS have three distinct categories. In Direct DDoS, source of attack generates the traffic for victim computer/device. It does not use any indirect way to keep itself hidden. In reflected DDoS, attackers use some third node in a way that it receives spoofed packets that appear to be from a victim. Now the victim’s device is affected when it receives response from this third node. In this type, original source of attack is actually hidden, in case the victim notices some strange activity on its network.
Amplification, which is the third distinct type of DDoS attack, is actually a sub category of reflected DDoS. In this type, attacker tries to increase the response traffic sent to the victim to be more that actual packets sent by an attacker. For example, when DNS queries are sent and packet size of response is much higher than initial queries, victim node gets flooded with unwanted traffic, which may affect its availability.
The following table summarizes the different types of attacks as previously discussed.
|Type of attack||Description|
|Reconnaissance||Stealing network information|
|Social Engineering||Using employees for attack generation|
|Phishing||Fake links are presented to end user to launch an attack|
|Pharming||Rough web pages are presented to misguide the clients and steal information|
|Privilege Escalation||Getting high-level access of networking device|
|Backdoors||Installing application on victim devices for future access|
|Code execution||Presenting user a link with some executable code embedded in it|
|Man-in-the-middle attacks||Used for eavesdropping and stealing information exchange between two or more peers|
|Botnet||Attack generated by group of affected devices|
|Denial of Service||Attacks to effect the availability of devices or some services|
|Amplification||Increasing response or action of attack with less number of commands|
Table 1-05: Types of Attacks
A network threat can be classified into three categories:
- Administrative: It is usually policy and procedure based, administrative treat involves the change in configuration, policies, access controls and rules.
- Logical: It involves threats for hardware and software.
- Physical: It involves threats for physical infrastructure.
In the world of evolving technology, technology and threats of cyber-attacks are growing side by side. Understanding the nature of existing threats can help in dealing with new threats. It is more important to understand the type of adversaries behind these attacks rather than studying every single attack regarding some proprietary information or network infrastructure. Some of the types of adversaries are Hackers, Criminals, Disgruntled Employees, Intelligence and Government Agencies.
Some attackers do it for financial profit. Some do it just for fun. Sometimes, an attack can be at state level where you have to understand the geo political scenario to understand the overall payload of the attack. One perfect example would be the Sutxnet virus attack. Back in early 2000s, viruses were not as sophisticated as they are now. Most of the time, people did it just for fame. As computer literacy and sudden surge in technology has changed the whole landscape, there are many examples where the payload of the attack is stealth of information and damage of critical infrastructure.
The term Malware refers to a variety of hostile or intrusive software including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software.
Identifying malware as it attempts to enter the network or being already residing in network infrastructure is one the most tedious job of security-concerned persons. There are several factors, which make its identification a little bit difficult. Any new malware created is undetectable from signature based detection tools. Normally malwares are embedded in trusted applications and sent over the protocols that are traditionally permitted in firewalls and Access Lists of network devices like HTTP and HTTPS traffic. A dedicated human resources would be required if every single piece of data, which traverse across the network, needs to be monitored. Increasing use of encryption also adds another layer of complexity for an organization to classify malicious traffic.
Figure 1-08: Malware Components
|Virus||It is a malicious program. It executes by itself and infects other files and programs in your system.|
|Worm||A worm is a self-replicating malware, which infects system, files or programs.|
|Spyware||Spyware is a malicious program that is designed to gather information and data from the system, without disturbing the system’s user.|
|Adware||An adware is a malicious software application, which delivers ads through pop-up windows on any program’s interface.|
|Scareware||Scareware is any malicious program that pretends to be legitimate antivirus software, it involves convincing users that their system is infected and they should purchase their fake antivirus. Once the user installs this software, it leads to the stealth of sensitive data.|
|Trojan horses||Trojan is malicious software, which disguises itself in some legitimate application like free screen saver, free antivirus cracker, etc. Once it is downloaded it will attack end users.|
|Ransomware||Ransomware is malicious software, which is designed to encrypt user’s data, and then hackers demand ransom payment to decrypt the respective data.|
Table 1-06: Malware Components
Malware Identification Methods
These are the tools and techniques used to identify malware existence over the network:
Packet Captures: Packet captures like Wireshark provide minute-to-minute detail related to traffic being sent or received over the network. Packet captures of malicious traffic can be separately taken under observation to find out its payload or purpose of attack. One problem with such type of identification method is the volume of traffic being captured, which makes malware detection a bit difficult.
Snort: Snort is an open source intrusion prevention and detection system. Snort is so popular for its speed and performance. Snort engine comprises threat identification, detection and prevention components, outputs about advanced threats with minimum false positives and missing legitimate threats.
Advanced Malware Protection: Cisco Advanced Malware Protection (AMP) provides protection against highly sophisticated, zero-day and highly advanced malware threats. Cisco AMP is designed for Cisco FirePOWER appliances. By analysing and monitoring files that have entered the network, AMP helps network administrators to take action during and after an attack by using security alerts. It also helps administrators to correlate discrete events for better detection by providing multi source indications of compromise.
NGIPS: Cisco’s next-generation intrusion prevention system (NGIPS) provides multilayer threat protection at high throughput rates. It is centrally managed through Cisco FireSight Management Center and can be expanded to include extra features like URL Filtering, AMP, etc.
Data exfiltration or Data extrusion involves an unauthorized alteration like copying, retrieval or transfer of someone’s data from his system or server. This alteration can be done by using software or can be done manually with physical access to the system.
Considering the current scenario of cyber-crime where well-funded and highly equipped teams are hired to penetrate through corporate security measures like firewall to steal digital information from corporates all around the world, security practices and measures are normally good for filtering and classifying inbound traffic. However, most of the practices implemented in different organizations lack visibility into traffic that is leaving the local network. This outbound traffic being stolen by malicious actors may include intellectual property like organization patents, customer’s data and trade secrets. Having this type of outbound data leakage may place organization at huge risk for losing financial data, promising customers and much more.
The few data types considered important to malicious actors in this regard are:
Intellectual Property (IP): It consists of any kind of data or documentation, produced by employee of an organization. It may include patents, designs, layouts or documents supporting the overall business of an organization.
Personally identifiable information (PII): After some data breach, this kind of information is shared in press to support the cause. Normally it consists of usernames, date of birth, addresses and social security numbers (SSN).
Credit/Debit Card: Both credit and debit cards have user information embedded either on the chip inside the card or on a magnetic strip. Normally, malicious actors trying to get financial gain tries to steal such kind of information.