DEPARTMENT OF ELECTRICAL & ELECTRONICS ENGINEERING

ETI 2510: Network Security and Cryptography

September – December 2021

` Instructor: Mr. Peter Karanja

Email: [email protected]

Thursday, 28th September, 2021

Cryptography and Network Security

The art of war teaches us not on the likelihood of the enemy’s not coming, but on our own
readiness to receive him; not on the chance of his not attacking, but rather on the fact that we
have made our position unassailable.
--The art of War, Sun Tzu

Lecture 1: Network and Information Security Basics

 EEC 2505 September 2021

TABLE OF CONTENTS

INTRODUCTION............................................................................................................................................... 3

NETWORK AND INFORMATION SECURITY BASICS ............................................................................ 6

Securing the computer network ........................................................................................................................ 6

Network Security Objectives ............................................................................................................................ 8

Cost-Benefit Analysis of Security ..................................................................................................................... 9

Classifying Assets ........................................................................................................................................... 11

Classifying Vulnerabilities .............................................................................................................................. 13

Classifying Countermeasures .......................................................................................................................... 13

What Do We Do with the Risk? ...................................................................................................................... 14

Recognizing Current Network Threats ........................................................................................................... 14

Applying Fundamental Security Principles to Network Design ..................................................................... 20

Guidelines ....................................................................................................................................................... 20

The Challenges of Computer Security ............................................................................................................ 21

Page 2 of 21
 EEC 2505 September 2021

INTRODUCTION

Before we talk about network security, we need to understand in general terms what security is.

Security is a continuous process of protecting an object from unauthorized access. It is a state of being or
feeling protected from harm. That object in that state may be a person, an organization such as a business,
or property such as a computer system or a file.

Security comes from secure which means, according to Webster Dictionary, a state of being free from care,
anxiety, or fear. An object can be in a physical state of security or a theoretical state of security.

In a physical state, a facility is secure if it is protected by a barrier like a fence, has secure areas both inside
and outside, and can resist penetration by intruders. This state of security can be guaranteed if the following
four protection mechanisms are in place: deterrence, prevention, detection, and response.

• Deterrence is usually the first line of defense against intruders who may try to gain access. It works
by creating an atmosphere intended to frighten intruders. Sometimes this may involve warnings of
severe consequences if security is breached.
• Prevention is the process of trying to stop intruders from gaining access to the resources of the
system. Barriers include firewalls, demilitarized zones (DMZs), and the use of access items like
keys, access cards, biometrics, and others to allow only authorized users to use and access a facility.
• Detection occurs when the intruder has succeeded or is in the process of gaining access to the
system. Signals from the detection process include alerts to the existence of an intruder. Sometimes
these alerts can be real time or stored for further analysis by the security personnel.
• Response is an after-effect mechanism that tries to respond to the failure of the first three
mechanisms. It works by trying to stop and/or prevent future damage or access to a facility.

The areas outside the protected system can be secured by wire and wall fencing, mounted noise or vibration
sensors, security lighting, closed-circuit television (CCTV), buried seismic sensors, or different
photoelectric and microwave systems. Inside the system, security can be enhanced by using electronic
barriers such as firewalls and passwords.

Digital barriers – commonly known as firewalls, which we shall discuss later on in the course can be used.

Firewalls are hardware or software tools used to isolate the sensitive portions of an information system
facility from the outside world and limit the potential damage by a malicious intruder.

A theoretical state of security, commonly known as pseudo security or security through obscurity (STO),
is a false hope of security. Many believe that an object can be secure as long as nobody outside the core
implementation group has knowledge about its existence. This security is often referred to as “bunk
mentality” security. This is virtual security in the sense that it is not physically implemented like building
walls, issuing passwords, or putting up a firewall, but it is effectively based solely on a philosophy. The
philosophy itself relies on a need to know basis, implying that a person is not dangerous as long as that

Page 3 of 21
 EEC 2505 September 2021

person doesn’t have knowledge that could affect the security of the system like a network, for example. In
real systems where this security philosophy is used, security is assured through a presumption
that only those with responsibility and who are trustworthy can use the system and nobody else needs to
know. So, in effect, the philosophy is based on the trust of those involved assuming that they will never
leave. If they do, then that means the end of security for that system.

There are several examples where STO has been successfully used. These include Coca-Cola, KFC, and
other companies that have, for generations, kept their secret recipes secure based on a few trusted
employees. But the overall STO is a fallacy that has been used by many software producers when they hide
their codes. Many times, STO hides system vulnerabilities and weaknesses. This was demonstrated
vividly in Matt Blaze’s 1994 discovery of a flaw in the Escrowed Encryption Standard (Clipper) that could
be used to circumvent law enforcement monitoring. Blaze’s discovery allowed easier access to secure
communication through the Clipper technology than was previously possible, without access to keys. The
belief that secrecy can make the system more secure is just that, a belief – a myth in fact. Unfortunately,
the software industry still believes this myth.

Although its usefulness has declined as the computing environment has changed to large open systems, new
networking programming and network protocols, and as the computing power available to the average
person has increased, the philosophy is in fact still favored by many agencies, including the military, many
government agencies, and private businesses.

In either security state, many objects can be thought of as being secure if such a state, a condition, or a
process is afforded to them. Because there are many of these objects, we are going to focus on the security
of a few of these object models. These will be a computer, a computer network, and information.

a) Computer Security
This is a study, which is a branch of computer science, focusing on creating a secure environment for
the use of computers. It is a focus on the “behavior of users,” if you will, required and the protocols in
order to create a secure environment for anyone using computers. This field, therefore, involves four
areas of interest: the study of computer ethics, the development of both software and hardware
protocols, and the development of best practices. It is a complex field of study involving detailed
mathematical designs of cryptographic protocols. We are not focusing on this in this course.

b) Network Security
Computer networks are distributed networks of computers that are either strongly connected meaning
that they share a lot of resources from one central computer or loosely connected, meaning that they
share only those resources that can make the network work. When we talk about computer network
security, our focus object model has now changed. It is no longer one computer but a network. So,
computer network security is a broader study of computer security. It is still a branch of computer
science, but a lot broader than that of computer security. It involves creating an environment in which
a computer network, including all its resources, which are many; all the data in it both in storage and
in transit; and all its users, is secure. Because it is wider than computer security, this is a more complex
field of study than computer security involving more detailed mathematical designs of cryptographic,
communication, transport, and exchange protocols and best practices.

Page 4 of 21
 EEC 2505 September 2021

c) Information Security

Information security is even a bigger field of study including computer and computer network security.
This study is found in a variety of disciplines, including computer science, business management,
information studies, and engineering. It involves the creation of a state in which information and data
are secure. In this model, information or data is either in motion through the communication channels
or in storage in databases on server. This, therefore, involves the study of not only more detailed
mathematical designs of cryptographic, communication, transport, and exchange protocols and best
practices but also the state of both.

Although security has been considered important for quite some time, especially for those of us who have
spent a large portion of our careers in the network security field, there has been a surge in public interest
over the past year or so due to events that have impacted even the least technically savvy person. It seems
as if we cannot go a full week lately without hearing that credit card data or personally identifiable
information (PII) has inadvertently been leaked (more accurately, stolen) from banks, retail stores, and the
like by malicious actors.

Security has become more complex than ever as the motives and capabilities of threat actors continue to
evolve while allowing the miscreants to often stay (at least) one step ahead of those of us in the network
security space. In addition, the concept of location of data is becoming blurred by concepts of cloud
computing and content-data networks and global load balancing. As we strive to empower employees
around the world with ubiquitous access to important data, it is increasingly important to remain constantly
vigilant about protecting data and the entities using it (individuals, businesses, governments, and so on).

This lecture covers the fundamental building blocks of network security (implementing and improving), an
essential topic that you are ready to master now that you better understand its importance.

Page 5 of 21
 EEC 2505 September 2021

NETWORK AND INFORMATION SECURITY BASICS

Security is important, and the lack of it risks financial, legal, political, and public relations implications.
This section covers some of the concepts, terms, and methodologies used in preparing for and working with
secure networks.

Securing the computer network

Creating security in the computer network model we are embarking on in this course means creating secure
environments for a variety of resources. In this model, a resource is secure, based on the above definition,
if that resource is protected from both internal and external unauthorized access. These resources, physical
or not, are objects. Ensuring the security of an object means protecting the object from unauthorized access
both from within the object and externally. In short, we protect objects.

System objects are either tangible or nontangible. In a computer network model, the tangible objects are
the hardware resources in the system, and the intangible object is the information and data in the system,
both in transition and static in storage.

a) Hardware
Protecting hardware resources include protecting:

• End-user objects that include the user interface hardware components such as all client system input
components, including a keyboard, mouse, touch screen, light pens, and others
• Network objects like firewalls, hubs, switches, routers, and gateways which are vulnerable to
hackers
• Network communication channels to prevent eavesdroppers from intercepting network
communications

b) Software
Protecting software resources includes protecting hardware-based software, operating systems, server
protocols, browsers, application software, and intellectual property stored on network storage disks and
databases. It also involves protecting client software such as investment portfolios, financial data, real
estate records, images or pictures, and other personal files commonly stored on home and business
computers.

Forms of Protection
Now, we know what model objects are or need to be protected. Let us briefly, keep details for later, survey
ways and forms of protecting these objects. Prevention of unauthorized access to system resources is
achieved through a number of services that include access control, authentication, confidentiality, integrity,
and nonrepudiation.

Page 6 of 21
EEC 2505 September 2021

Access Control
This is a service the system uses, together with a user pre-provided identification information
such as a password, to determine who uses what of its services. Let us look at some forms of
access control based on hardware and software.

a) Hardware Access Control Systems

Rapid advances in technology have resulted in efficient access control tools that are open
and flexible while at the same time ensuring reasonable precautions against risks. Access
control tools falling in this category include the following:

• Access terminal. Terminal access points have become very sophisticated, and now
they not only carry out user identification but also verify access rights, control
access points, and communicate with host computers. These activities can be done
in a variety of ways including fingerprint verification and real-time anti-break- in
sensors. Network technology has made it possible for these units to be connected
to a monitoring network or remain in a stand-alone off-line mode.
• Visual event monitoring. This is a combination of many technologies into one very
useful and rapidly growing form of access control using a variety of real- time
technologies including video and audio signals, aerial photographs, and global
positioning system (GPS) technology to identify locations.
• Identification cards. Sometimes called proximity cards, these cards have become
very common these days as a means of access control in buildings, financial
institutions, and other restricted areas. The cards come in a variety of forms,
including magnetic, bar coded, contact chip, and a combination of these.
• Biometric identification. This is perhaps the fastest growing form of control access
tool today. Some of the most popular forms include fingerprint, iris, and voice
recognition. However, fingerprint recognition offers a higher level of security.
• Video surveillance. This is a replacement of CCTV of yester year, and it is gaining
popularity as an access control tool. With fast networking technologies and digital
cameras, images can now be taken and analyzed very quickly and action taken in
minutes.

b) Software Access Control Systems

Software access control falls into two types: point of access monitoring and remote
monitoring. In point of access (POA), personal activities can be monitored by a PC-based
application. The application can even be connected to a network or to a designated
machine or machines. The application collects and stores access events and other events
connected to the system operation and download access rights to access terminals.

In remote mode, the terminals can be linked in a variety of ways, including the use of modems,
telephone lines, and all forms of wireless connections. Such terminals may, sometimes if needed,
have an automatic calling at preset times if desired or have an attendant to report regularly.

Page 7 of 21
 EEC 2505 September 2021

Network Security Objectives

When considering networks, you can view them from different perspectives. For example, senior
management might view the network as a business tool to facilitate the goals of the company. Network
technicians (at least some) might consider their networks to be the center of the universe. End users might
consider the network to be just a tool for them to get their job done, or possibly as a source for recreation.

Not all users appreciate their role in keeping data safe, and unfortunately the users of the network represent
a significant vulnerability, in that they have usernames and passwords (or other credentials, such as one-
time password token generators) that allow them access to the network. If a user is compromised or an
unauthorized individual gains access to data, applications, or devices for which they should not have access,
the security of the network may still fail as a result, even after you apply all the concepts that you learn in
this book. So, an important point to remember is that the users’ behaviors pose a security risk and that
training users is a key part of a comprehensive security policy.

Network security objectives usually involve three basic concepts:

• Confidentiality: There are two types of data: data in motion as it moves across the net- work; and
data at rest, when data is sitting on storage media (server, local workstation, in the cloud, and so
forth). Confidentiality means that only the authorized individuals/ systems can view sensitive or
classified information. This also implies that unauthorized individuals should not have any type of
access to the data. Regarding data in motion, the primary way to protect that data is to encrypt it
before sending it over the network.

Another option you can use with encryption is to use separate networks for the transmission of
confidential data. Several chapters in this book focus on these two concepts
.
• Integrity: Integrity for data means that changes made to data are done only by authorized
individuals/systems. Corruption of data is a failure to maintain data integrity.

• Availability: This applies to systems and to data. If the network or its data is not avail- able to
authorized users—perhaps because of a denial-of-service (DoS) attack or maybe because of a
general network failure—the impact may be significant to companies and users who rely on that
network as a business tool. The failure of a system, to include data, applications, devices, and
networks, generally equates to loss of revenue.

Perhaps thinking of these security concepts as the CIA “triad” might help you remember them:
confidentiality, integrity, and availability.

Page 8 of 21
 EEC 2505 September 2021

Cost-Benefit Analysis of Security

Network security engineers must understand not only what they protect, but also from whom.
Risk management is the key phrase that you will hear over and over, and although not very glamorous, it
is based on specific principles and concepts related to both asset protection and security management.
What is an asset? It is anything that is valuable to an organization. These could be tangible items (people,
computers, and so on) or intangible items (intellectual property, database information, contact lists,
accounting info). Knowing the assets that you are trying to protect and their value, location, and exposure
can help you more effectively determine the time and money to spend securing those assets.
A vulnerability is an exploitable weakness in a system or its design. Vulnerabilities can be found in
protocols, operating systems, applications, and system designs. Vulnerabilities abound, with more discovered
every day.
A threat is any potential danger to an asset. If a vulnerability exists but has not yet been exploited or, more
importantly, it is not yet publicly known, the threat is latent and not yet realized. If someone is actively
launching an attack against your system and successfully accesses something or compromises your security
against an asset, the threat is realized. The entity that takes advantage of the vulnerability is known as the
malicious actor and the path used by this actor to perform the attack is known as the threat agent or threat
vector.
A countermeasure is a safeguard that somehow mitigates a potential risk. It does so by either reducing or
eliminating the vulnerability, or at least reduces the likelihood of the threat agent to actually exploit the risk.
For example, you might have an unpatched machine on your network, making it highly vulnerable. If that
machine is unplugged from the network and ceases to have any interaction with exchanging data with any
other device, you have successfully mitigated all of those vulnerabilities. You have likely rendered that
machine no longer an asset, though; but it is safer.
Note that thresholds apply to how we classify things. We do not spend more than the asset is worth to protect
it because doing so makes no sense. For example, purchasing a used car for $200 and then spending $2000
on a secure garage facility so that nobody can harm the car or $1500 on an alarm system for that car seems
to be a fairly silly proposition.
If you identify the data with the greatest value/worth, you usually automatically identify where the greatest
effort to secure that information will be. Keep in mind, however, that beyond a company’s particular view
about the value of any data, regulatory entities might also be involved (government regulations or laws,
business partner agreements, contractual agreements, and so forth).
Just accepting the full risk (the all-or-nothing approach) is not really acceptable. After all, you can
implement security measures to mitigate the risk. In addition, those same security devices, such as firewalls
and intrusion prevention systems (IPS), can protect multiple devices simultaneously, thus providing a cost
benefit. So, you can reduce risk by spending money on appropriate security measures, and usually do a good
job of protecting an asset. You can never completely eliminate risk, so you must find the balance.
Table 1-1 describes a number of security terms and the appliances to which they relate.

Page 9 of 21
 EEC 2505 September 2021

Table 1-1 Security Terms

Vocabulary Term Explanation
Asset An asset is an item that is to be protected and can include property, people, and
information/data that have value to the company. This includes intangible items such as
proprietary information or trade secrets and the reputation of the company. The data
could include company records, client information, proprietary software, and so on.
Vulnerability A vulnerability is an exploitable weakness of some type. That exploitation might
result from a malicious attack, or it might be accidentally triggered because of a
failure or weakness in the policy, implementation, or software running on the
Threat network.
This is what you are protecting against. A threat is anything that attempts to gain
unauthorized access to, compromise, destroy, or damage an asset. Threats are often
realized via an attack or exploit that takes advantage of an existing vulnerability.
Threats today come in many varieties and spread more rapidly than ever before. Threats
can also morph and be modified over time, and so you must be ever diligent to keep
up with them.
Risk Risk is the potential for unauthorized access to, compromise, destruction, or damage to
an asset. If a threat exists, but proper countermeasures and protections are in place (it is
your goal to provide this protection), the potential for the threat to be successful is
reduced (thus reducing the overall risk).
Countermeasure A countermeasure is a device or process (a safeguard) that is implemented to
counteract a potential threat, which thus reduces risk.

Page 10 of 21
 EEC 2505 September 2021

Classifying Assets
One reason to classify an asset is so that you can take specific action, based on policy, with regard to assets
in a given class. Consider, for example, virtual private networks (VPN). We classify (that is, identify) the
traffic that should be sent over a VPN tunnel. By classifying data and labeling it (such as labeling “top secret”
data on a hard disk), we can then focus the appropriate amount of protection or security on that data: more
security for top secret data than for unclassified data, for instance. The benefit is that when new data is put
into the system, you can classify it as confidential or secret and so on and it will then receive the same level
of protection that you set up for that type of data. Table 1-2 lists some common asset classification categories.

Table 1-2 Asset Classifications

Governmental Unclassified
classifications Sensitive but unclassified (SBU)
Confidential
Secret Top secret

Private sector Public Sensitive Private

classifications Confidential

Classification Value Age

criteria Replacement cost Useful
lifetime

Classification Owner (the group ultimately responsible for the data,

roles usually senior management of a company)
Custodian (the group responsible for implementing the policy
as dictated by the owner)
User (those who access the data and abide by the rules of
acceptable use for the data)

Page 11 of 21
 EEC 2505 September 2021

Table 1-3 describes the four classification levels used within the Traffic Light Protocol (TLP). The TLP is a
set of designations developed by the US-CERT division to ensure that sensitive information is shared with
the correct audience. It employs four colors to indicate different degrees of sensitivity and the
corresponding sharing considerations to be applied by the recipients. The CERT division, part of the
Software Engineering Institute and based at Carnegie Mellon University (Pittsburgh, Pennsylvania), is a
worldwide respected authority in the field of network security and cyber security.

Table 1-3 TLP Classification Levels

Color When Should It Be Used? How May It Be Shared?
RED Sources may use TLP: RED when information Recipients may not share TLP: RED
cannot be effectively acted upon by additional information with any parties outside of the
parties, and could lead to impacts on a party’s specific exchange, meeting, or conversation
privacy, reputation, or operations if misused. in which it is originally disclosed.
AMBER Sources may use TLP: AMBER when Recipients may only share TLP: AMBER
information requires support to be effectively information with members of their own
acted upon, but carries risks to privacy, organization who need to know, and only as
reputation, or operations widely as necessary to act on that information.
if shared outside of the organizations involved.
GREEN Sources may use TLP: GREEN when Recipients may share TLP: GREEN
information is useful for the awareness of all information with peers and partner
participating organizations as well as with organizations within their sector or
peers within the broader community or sector. community, but not via publicly accessible
channels.
WHITE Sources may use TLP: WHITE when
information carries minimal or no foreseeable
risk of misuse, in

Page 12 of 21
 EEC 2505 September 2021

Classifying Vulnerabilities
Understanding the weaknesses and vulnerabilities in a system or network is a huge step toward correcting
the vulnerability or putting in appropriate countermeasures to mitigate threats against those vulnerabilities.
Potential network vulnerabilities abound, with many resulting from one or more of the following:
• Policy flaws
• Design errors
• Protocol weaknesses
• Misconfiguration
• Software vulnerabilities
• Human factors
• Malicious software
• Hardware vulnerabilities
• Physical access to network resources

The Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly known security
vulnerabilities and exposures. A quick search using your favorite search engine will lead you to the website.
There is also a National Vulnerability Database (NVD), which is a repository of standards-based
vulnerability information; you can do a quick search for it, too. (URLs change over time, so it is better to
advise you to just do a quick search and click any links that interest you.)

Classifying Countermeasures
After a company has identified its assets and considered the risks involved to that asset from a threat
against a vulnerability, the company can then decide to implement countermeasures to reduce the risk of
a successful attack. Common control methods used to implement counter measures include the following:
o Administrative: These consist of written policies, procedures, guidelines, and standards. An
example would be a written acceptable use policy (AUP), agreed to by each user on the
network. Another example is a change control process that needs to be followed when making
changes to the network. Administrative controls could involve items such as back- ground checks
for users, as well.
o Physical: Physical controls are exactly what they sound like, physical security for the network
servers, equipment, and infrastructure. An example is providing a locked door between users
and the wiring closet on any floor (where the switches and other gear exist). Another example of
a physical control is a redundant system (for instance, an uninterruptible power supply).
o Logical: Logical controls include passwords, firewalls, intrusion prevention systems, access
lists, VPN tunnels, and so on. Logical controls are often referred to as technical controls.

Not all controls are created equal, and not all controls have the same purpose. Working together, however,
the controls should enable you to prevent, detect, correct, and recover, all while acting as a deterrent to a
threat.

Page 13 of 21
 EEC 2505 September 2021

What Do We Do with the Risk?

You can deal with risk in several ways, one of which is eliminate, or at least minimize, it. For example, by
not placing a web server on the Internet, you eliminate any risk of that nonexistent web server being attacked.
(This does not work very well for companies that do want the web server.)
An option for avoiding the web server altogether is to transfer the risk to someone else. For example, instead
of hosting your own server on your own network, you could outsource that functionality to a service
provider. The service provider could take full responsibility (the risk) for attacks that might be launched
against its server and provide a service level agreement and guarantees to the customer. Keep in mind,
however, the possibility of risk must be assumed if the outsourcing entity (for example, the service provider)
does not adequately eliminate risk effectively.
So, the service provider now has the risk. How does it handle it? It does exactly what you’re learning in this
book: It reduces risk by implementing appropriate countermeasures. By applying the correct patches and
using the correct firewalls and Internet service providers (ISP) and other safeguards, they reduce their own
risk. If risk is purely financial, insurance can be purchased that helps manage the risk. Attacks against
networks today are primarily motivated by the desire for financial gain. As mentioned in the previous
paragraph, the risk assumed by the service provider is not completely eliminated, which results in residual
risk that your organization must understood and accept.
Another option is for a company to put up its own web server and just assume the risk. Unfortunately, if it
takes no security precautions or countermeasures against potential threats, the risk could be high enough to
damage the company and put it out of business. Most people would agree that this is not acceptable risk.

Recognizing Current Network Threats

Threats today are constantly changing, with new ones emerging. Moving targets are often difficult to zero in
on, but understanding the general nature of threats can prepare you to deal with new threats. This section
covers the various network threat categories and identifies some strategies to stay ahead of those threats.

Potential Attackers
We could devote an entire book to attacks that have been launched in the past 15 minutes somewhere in the
world against a network resource, a section of critical infrastructure, or a desired set of proprietary data.
Instead of trying to list the thousands of attacks that could threaten vulnerable networks, let’s begin by
looking at the types of adversaries that may be behind attacks:
• Terrorists
• Criminals
• Government agencies
• Nation states
• Hackers
• Disgruntled employees
• Competitors
• Anyone with access to a computing device (sad, but true)

Page 14 of 21
 EEC 2505 September 2021

Different terms are used to refer to these individuals, including cracker (criminal hacker), script-kiddie, and
the list goes on. As a security practitioner, you want to “understand your enemy.” This is not to say that
everyone should learn to be a hacker or write malware, because that is really not going to help. Instead, the
point is that it is good to understand the motivations and interests of the people involved in breaking all
those things you seek to protect. You also need to have a good understanding of your network and data
environment to know what is vulnerable and what can be targeted by the malicious actors.
Some attackers seek financial gain (as mentioned previously). Others might want the notoriety that comes
from attacking a well-known company or brand. Sometimes attackers throw their net wide and hurt
companies both intended and unintended.
Back in the “old days,” attacks were much simpler. We had basic intrusions, war dialing, and things like that.
Viruses were fairly new. But it was all about notoriety. The Internet was in its infancy, and people sought to
make names for themselves. In the late 1990s and early 2000s, we saw an increase in the number of viruses
and malware, and it was about fame.
More recently, many more attacks and threats revolve around actual theft of information and damage with
financial repercussions. Perhaps that is a sign of the economy, or maybe it is just an evolution of who is
computer literate or incentivized to be involved. Attackers may also be motivated by government or
industrial espionage.

Page 15 of 21
 EEC 2505 September 2021

Attack Methods
Most attackers do not want to be discovered and so they use a variety of techniques to remain in the
shadows when attempting to compromise a network, as described in Table 1-4.

Table 1-4 Attack Methods

Action Description
Reconnaissance This is the discovery process used to find information about the network. It could include
scans of the network to find out which IP addresses respond, and further scans to see which
ports on the devices at these IP addresses are open. This is usually the first step taken, to
discover what is on the network and to determine potential vulnerabilities.

Social This is a tough one because it leverages our weakest (very likely) vulnerability in a secure
engineering system (data, applications, devices, networks): the user. If the attacker can get the user to
reveal information, it is much easier for the attacker than using some other method of
reconnaissance. This could be done through e-mail or misdirection of web pages, which
results in the user clicking something that leads to the attacker gaining information. Social
engineering can also be done in person or over the phone.
Phishing presents a link that looks like a valid trusted resource to a user. When the user
clicks it, the user is prompted to disclose confidential information such as
usernames/passwords.
Pharming is used to direct a customer’s URL from a valid resource to a malicious one that
could be made to appear as the valid site to the user. From there, an attempt is made to extract
confidential information from the user.
Privilege This is the process of taking some level of access (whether authorized or not) and achieving
escalation an even greater level of access. An example is an attacker who gains user mode access to a
router and then uses a brute-force attack against the router, determining what the enable secret
is for privilege level 15 access.
Back doors When attackers gain access to a system, they usually want future access, as well, and they
want it to be easy. A backdoor application can be installed to either allow future access or to
collect information to use in further attacks.
Many back doors are installed by users clicking something without realizing the link they
click or the file they open is a threat. Back doors can also be implemented as a result of a
virus or a worm (often referred to as malware).
Code execution When attackers can gain access to a device, they might be able to take several actions. The
type of action depends on the level of access the attacker has, or can achieve, and is based
on permissions granted to the account compromised by the attacker. One of the most
devastating actions available to an attacker is the ability to execute code within a device.
Code execution could result in an adverse impact to the confidentiality (attacker can view
information on the device), integrity (attacker can modify the configuration of the device),
and availability (attacker can create a denial of service through the modification of code) of
a device.

Page 16 of 21
 EEC 2505 September 2021

Attack Vectors
Be aware that attacks are not launched only from individuals outside your company. They are also launched
from people and devices inside your company who have current, legitimate user accounts. This vector is of
particular concern these days with the proliferation of organizations allowing employees to bring your own
device (BYOD) and allowing it seamless access to data, applications, and devices on the corporate networks.
For more information on BYOD, see Chapter 4, “Bring Your Own Device (BYOD).” Perhaps the user is
curious, or maybe a back door is installed on the computer on which the user is logged in. In either case, it
is important to implement a security policy that takes nothing for granted and to be prepared to mitigate
risk at several levels.
You can implement a security policy that takes nothing for granted by requiring authentication from users
before their computer is allowed on the network (for which you could use 802.1X and Cisco Access Control
Server [ACS]). This means that the workstation the user is on must go through a profiling before being
allowed on the network. You could use Network Admission Control (NAC) or an Identity Service Engine
(ISE) to enforce such a policy. In addition, you could use security measures at the switch port, such as port
security and others. We cover many of these topics, in great detail, in later chapters.

Man-in-the-Middle Attacks
A man-in-the-middle attack results when attackers place themselves in line between two devices that are
communicating, with the intent to perform reconnaissance or to manipulate the data as it moves between
them. This can happen at Layer 2 or Layer 3. The main purpose is eavesdropping, so the attacker can see all
the traffic.
If this happens at Layer 2, the attacker spoofs Layer 2 MAC addresses to make the devices on a LAN believe
that the Layer 2 address of the attacker is the Layer 2 address of its default gateway. This is called ARP
poisoning. Frames that are supposed to go to the default gateway are forwarded by the switch to the Layer 2
address of the attacker on the same network. As a courtesy, the attacker can forward the frames to the correct
destination so that the client will have the connectivity needed and the attacker now sees all the data between
the two devices. To mitigate this risk, you could use techniques such as dynamic Address Resolution Protocol
(ARP) inspection (DAI) on switches to prevent spoofing of the Layer 2 addresses.
The attacker could also implement the attack by placing a switch into the network and manipulating the
Spanning Tree Protocol (STP) to become the root switch (and thus gain the ability to see any traffic that
needs to be sent through the root switch). You can mitigate this through techniques such as root guard and
other spanning-tree controls discussed later in this book.
A man-in-the-middle attack can occur at Layer 3 by a rogue router being placed on the net- work and then
tricking the other routers into believing that the new router has a better path. This could cause network traffic
to flow through the rogue router and again allow the attacker to steal network data. You can mitigate attacks
such as these in various ways, including routing authentication protocols and filtering information from
being advertised or learned on specific interfaces.

as Telnet or HTTP, an attacker who has implemented a man-in-the-middle attack can see the contents of your
cleartext data packets, and as a result will see everything that goes across the attacker’s device, including
usernames and passwords that are used. Using management protocols that have encryption built in, such as
Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS), is considered a best practice, and

Page 17 of 21
 EEC 2505 September 2021

using VPN protection for cleartext sensitive data is also considered a best practice.

Other Miscellaneous Attack Methods

No standards groups for attackers exist, so not all the attacks fit neatly or clearly in one category. In fact,
some attacks fit into two or more categories at the same time. Table 1-5 describes a few additional methods
attackers might use.

Table 1-5 Additional Attack Methods

Method Description
Covert This method uses programs or communications in unintended ways. For example, if
channel the security policy says that web traffic is allowed but peer-to- peer messaging is not,
users can attempt to tunnel their peer-to-peer traffic inside of HTTP traffic. An
attacker may use a similar technique to hide traffic by tunneling it inside of some
other allowed protocol to avoid detection. An
example of this is a backdoor application collecting keystroke information from the
workstation and then slowly sending it out disguised as Internet Control Message
Protocol (ICMP). This is a covert channel.
A covert channel is the legitimate use of a protocol, such as a user with a web browser
using HTTP to access a web server, for illegitimate purposes, including cloaking
network traffic from inspection.
Trust If the firewall has three interfaces, and the outside interface allows all traffic to the
exploitation demilitarized zone (DMZ) but not to the inside network, and the DMZ allows access to
the inside network from the DMZ, an attacker could leverage that by gaining access to
the DMZ and using that location to launch his attacks from there to the inside network.
Other trust models, if incorrectly configured, may allow unintentional access to an
attacker including active directory and NFS (Network File System in UNIX).

Brute-force Brute-force (password-guessing) types of attacks are performed when an attacker’s

(password- system attempts thousands of possible passwords looking for the right match. This is
guessing) attacks best protected against by specifying limits on how many unsuccessful authentication
attempts can occur within a specified time frame. Password-guessing attacks can also
be done through malware, man-in-the- middle attacks using packet sniffers, or by
using key loggers.
Botnet A botnet is a collection of infected computers that are ready to take instructions from
the attacker. For example, if the attacker has the malicious backdoor software installed
on 10,000 computers, from his central location, he could instruct those computers to
all send TCP SYN requests or ICMP echo requests repeatedly to the same destination.
To add insult to injury, he could also spoof the source IP address of the request so that
reply traffic is sent to yet another victim. The attacker generally uses a covert channel
to manage the individual devices that make up the botnet.

Page 18 of 21
EEC 2505 September 2021

DoS and DDoS Denial-of-service (DoS) attack and distributed denial-of-service (DDoS) attack. An
example is using a botnet to attack a target system. If an attack is launched from a single
device with the intent to cause damage to an asset, the attack could be considered a
DoS attempt, as opposed to a DDoS. Both types of attacks want the same result, and
whether it is called a DoS or DDoS attack just depends on how many source machines
are used in the attack. A more advanced and increasingly popular type of DDoS attack
is called a reflected DDoS (RDDoS) attack. An RDDoS takes place when the source of
the initial (query) packets is actually spoofed by the attacker. The response packets are
then “reflected” back from the unknowing participant to the victim of the attack; that
is, the original (spoofed) source of the initial (query) packets.

Page 19 of 21
 EEC 2505 September 2021

Applying Fundamental Security Principles to Network Design

This section examines the holistic approach to improve the security posture of your network before,
during, and after your network implementation.

Guidelines
You want some basic principles and guidelines in place in the early stages of designing and implementing
a network. Table 1-6 describes such key guidelines.

Table 1-6 Guidelines for Secure Network Architecture

Guideline Explanation
Rule of This rule states that minimal access is only provided to the required network resources, and
least not any more than that. An example of this is an access list applied to an interface for filtering
privilege that says “deny all.” Before this, specific entries could be added allowing only the bare
minimum of required protocols, and only then between the correct source and destination
addresses.
Defense in This concept suggests that you have security implemented on nearly every point of your
depth network. An example is filtering at a perimeter router, filtering again at a firewall, using IPSs
to analyze traffic before it reaches your servers, and using host- based security precautions at
the servers, as well. Additional methods that can be used to implement a defense-in-depth
approach include using authentication and authorization mechanisms, web and e-mail
security, content security, application inspection monitoring, traffic monitoring, and malware
protection.
The concept behind defense in depth is that if a single security technology fails, additional
levels, or mechanisms, of security are still in place to protect the data, applications, and
devices on the network.

Separation of When you place specific individuals into specific roles, there can be checks and balances
duties in place regarding the implementation of the security policy. Rotating individuals into
different roles periodically will also assist in verifying that vulnerabilities are being
addressed, because a person who moves into a new role will be required to review the
policies in place.

Auditing This refers to accounting and keeping records about what is occurring on the network.
Most of this can be automated through the features of authentication, authorization, and
accounting (AAA) (covered later in this book). When events happen on the network, the
records of those events can be sent to an accounting server. When the separation-of-duties
approach is used, those who are making changes on the network should not have direct
access to modify or delete the accounting records that are kept on the accounting server.

Page 20 of 21
 EEC 2505 September 2021

The Challenges of Computer Security

Computer and network security is both fascinating and complex. Some of the reasons follow:

1. Security is not as simple as it might first appear to the novice. The requirements seem to be
straightforward; indeed, most of the major requirements for security services can be given self-
explanatory, one-word labels: confidentiality, authentication, nonrepudiation, or integrity. But the
mechanisms used to meet those requirements can be quite complex, and understanding them may
involve rather subtle reasoning.
2. In developing a particular security mechanism or algorithm, one must always consider potential
attacks on those security features. In many cases, successful attacks are designed by looking at the
problem in a completely different way, therefore exploiting an unexpected weakness in the
mechanism.
3. Because of point 2, the procedures used to provide particular services are often counterintuitive.
Typically, a security mechanism is complex, and it is not obvious from the statement of a particular
requirement that such elaborate measures are needed. It is only when the various aspects of the
threat are considered that elaborate security mechanisms make sense.
4. Having designed various security mechanisms, it is necessary to decide where to use them. This is
true both in terms of physical placement (e.g., at what points in a network are certain security
mechanisms needed) and in a logical sense (e.g., at what layer or layers of an architecture such as
TCP/IP [Transmission Control Protocol/Internet Protocol] should mechanisms be placed).
5. Security mechanisms typically involve more than a particular algorithm or protocol. They also
require that participants be in possession of some secret information (e.g., an encryption key),
which raises questions about the creation, distribution, and protection of that secret information.
There also may be a reliance on communications protocols whose behavior may complicate the
task of developing the security mechanism. For example, if the proper functioning of the security
mechanism requires setting time limits on the transit time of a message from sender to receiver,
then any protocol or network that introduces variable, unpredictable delays may render such time
limits meaningless.
6. Computer and network security is essentially a battle of wits between a perpetrator who tries to
find holes and the designer or administrator who tries to close them. The great advantage that the
attacker has is that he or she need only find a single weakness, while the designer must find and
eliminate all weaknesses to achieve perfect security.
7. There is a natural tendency on the part of users and system managers to perceive little benefit from
security investment until a security failure occurs.
8. Security requires regular, even constant, monitoring, and this is difficult in today’s short-term,
overloaded environment.
9. Security is still too often an afterthought to be incorporated into a system after the design is
complete rather than being an integral part of the design process.
10. Many users and even security administrators view strong security as an impediment to efficient and
user-friendly operation of an information system or use of information.

Page 21 of 21