UNIT 2 NETWORK SECURITY AND DATA COMMUNICATIONS by sbsinesslondon.ac.uk

Unit CSEC02: Network Security and Data Communications

QUALIFI Level 5 Extended Diploma in Networking and Cyber Security.

ABOUT THIS WORKBOOK

• The main purpose of this workbook is to support you as you study for the Qualifi Level 4 Diploma in Cybersecurity , so it specifically focuses on the content of the syllabus for the Unit CSEC02: Network Security and Data Communications. • This workbook provides underpinning knowledge and develops

understanding to improve your skills as well as to prepare you for future assessment. If you are studying towards the Qualifi Level 4 Diploma in Cybersecurity then, if you choose to do so, you will be assessed on your knowledge and understanding of the learning outcomes.

QUALIFI Level 5 Extended Diploma in Networking and Cyber Security

Unit CSEC02: Network Security and Data Communication

LO1:Understand how computers and digital devices communicate with one another over a network.

1.1: Analyse the core vulnerabilities within a network environment and an online environment.

1.2: Explain how the emergence of security thinking and tools can benefit a network environment.

What is a Network?

A network is nothing more than two or more computers connected by a cable (or in some cases, by radio connection) so that they can exchange information. Lowe, Doug, and Lowe. Networking, John Wiley & Sons, Incorporated, 2009. Although complicated, yet it adds the following values to our computers. • Sharing files • Sharing Resources • Sharing programs

A Basic Network

At the core of network application development is writing programs that run on different end systems and communicate with each other over the network.

Network Layers

For example, in the Web application there are two distinct programs that communicate with each other: the browser program running in the user’s host (desktop, laptop, tablet, smartphone, and so on); and the Web server program running in the Web server host.

Network Layers

1. Network Architectures: From the application developer’s perspective, the network architecture is fixed and provides a specific set of services to applications. The application architecture, on the other hand, is designed by the application developer and dictates how the application is structured over the various end systems. In choosing the application architecture, an application developer will likely draw on one of the two predominant architectural paradigms used in modern network applications: the client-server architecture or the peer-to-peer (P2P) architecture.

Network Architectures

Network Layers

2 Processes Communicating • A process can be thought of as a program that is running within an end system. When processes are running on the same end system, they can communicate with each other with interprocess communication, using rules that are governed by the end system’s operating system. • Processes on two different end systems communicate with each other by exchanging messages across the computer network. A sending process creates and sends messages into the network; a receiving process receives these messages and possibly responds by sending messages back.

Network Layers Processes Communicating Elements

•

Client and Server Processes

A network application consists of pairs of processes that send messages to each other over a network. For example, in the Web application a client browser process exchanges messages with a Web server process. •

The Interface Between the Process and the Computer Network:

Any message sent from one process to another must go through the underlying network. A process sends messages into, and receives messages from, the network through a software interface called a socket.

•

Addressing process:

In order to send postal mail to a particular destination, the destination needs to have an address. Similarly, in order for a process running on one host to send packets to a process running on another host, the receiving process needs to have an address.

Network Layers

Network Layers 3. Transport Services Available to Applications a socket is the interface between the application process and the transport-layer protocol. The application at the sending side pushes messages through the socket. At the other side of the socket, the transport-layer protocol has the responsibility of getting the messages to the socket of the receiving process. Transport layer services can be spread among 4 dimension: • Reliable Data Transfer

• Throughput • Timing • Security

• Reliable Data Transfer many applications—such as electronic mail, file transfer, remote host access, Web document transfers, and financial applications—data loss can have devastating consequences. If a protocol provides such a guaranteed data delivery service, it is said to provide reliable data transfer. • Throughput

Network Layers

is the rate at which the sending process can deliver bits to the receiving process. Because other sessions will be sharing the bandwidth along the network path, and because these other sessions will be coming and going, the available throughput can fluctuate with time. • Timing A transport-layer protocol can also provide timing guarantees. • Security A transport protocol can also provide other security services in addition to confidentiality, including data integrity and end-point authentication,

Network Security Alice wants only Bob to be able to understand a message that she has sent, even though they are communicating over an insecure medium where an intruder (Trudy, the intruder) may intercept whatever is transmitted from Alice to Bob. They both want • Data is genuinely from each other • Data isn’t getting lost on the transit • Data has not been altered in the transit.

Network Security Given these considerations, following are desirable properties of secure communication.

Confidentiality. Only the sender and intended receiver should be able to understand the contents of the transmitted message

Message integrity. Content of the communication is not altered, either maliciously or by accident, in transit.

End-point authentication. Both the sender and receiver should be able to confirm the identity of the other party involved in the communication Operational security. Almost all organizations (companies, universities, and so on) today have networks that are attached to the public Internet. These networks therefore can potentially be compromised

Network Security Network Security Threats The Internet has become mission critical for many institutions today, including large and small companies, universities, and government agencies. Many individuals also rely on the Internet for many of their professional, social, and personal activities. Billions of “things,” including wearables and home devices, are currently being connected to the Internet. But behind all this utility and excitement, there is a dark side, a side where “bad guys” attempt to wreak havoc in our daily lives by damaging our Internet-connected computers, violating our privacy, and rendering inoperable the Internet services on which we depend. Lets survey some of today’s more prevalent security-related problems.

Network Security Network Security Threats 1.Malware in the host computer via internet 2.Attack on server and network infrastructure 3.Loss of packets 4.Social Engineering attacks

Network Security Threats 1.Malware in the host computer via internet

Malware is a malicious software that is unknowingly purchased, downloaded, or installed. The use of malware to exploit network vulnerabilities continue to rise hitting an all time high of812.67 million infected devices in 2018. Much of the malware out there today is self-replicating: once it infects one host, from that host it seeks entry into other hosts over the Internet, and from the newly infected hosts, it seeks entry into yet more hosts. In this manner, self- replicating malware can spread exponentially fast.

1.Malware in the host computer via internet Viruses are malware that require some form of user interaction to infect the user’s device. The classic example is an e-mail attachment containing malicious executable code Worms are malware that can enter a device without any explicit user interaction. For example, a user may be running a vulnerable network application to which an attacker can send malware.

Network Security Threats 2.Attack on server and network infrastructure Another broad class of security threats are known as denial-of-service (DoS) attacks. As the name suggests, a DoS attack renders a network, host, or other piece of infrastructure unusable by legitimate users. Web servers, email servers, DNS servers, and institutional networks can all be subject to DoS attacks. Internet DoS attacks are extremely common, with thousands of DoS attacks occurring every year [Moore 2001]. These attacks fall into 3 categories

Network Security Threats Vulnerability attack: This involves sending a few well-crafted messages to a vulnerable application or operating system running on a targeted host. If the right sequence of packets is sent to a vulnerable application or operating system, the service can stop or, worse, the host can crash.

Bandwidth flooding: The attacker sends a deluge of packets to the targeted host—so many packets that the target’s access link becomes clogged, preventing legitimate packets from reaching the server. Connection flooding: The attacker establishes a large number of half-open or fully open TCP connections at the target host. The host can become so bogged down with these bogus connections that it stops accepting legitimate connections.

Network Security Threats

3.Loss of packets Many users today access the Internet via wireless devices, such as WiFi-connected laptops or handheld devices with cellular Internet connections. While ubiquitous Internet access is extremely convenient and enables marvellous new applications for mobile users, it also creates a major security vulnerability—by placing a passive receiver in the vicinity of the wireless transmitter, that receiver can obtain a copy of every packet that is transmitted! These packets can contain all kinds of sensitive information, including passwords, social security numbers, trade secrets, and private personal messages. A passive receiver that records a copy of every packet that flies by is called a packet sniffer.

Network Security Threats 4.Social Engineering attacks This process have become a popular method used by threat actors to easily bypass authentication and authorization security protocols and gain access to a network.

The most common types of social engineering attacks include:

Social Engineering Attacks

●Phishing emails ●Spam ●Spear phishing ●Pharming

●Whaling

●Tailgating

●Vishing

●Shoulder surfing

Reading List

•

Morgan, Steve. “Global Cybercrime Damages Predicted to Reach $6 Trillion Annually by 2021.” Cybercrime Magazine. Dec. 7, 2018. https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/.

•

Lowe, Doug, and Lowe. Networking, John Wiley & Sons, Incorporated, 2009. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID=477807.

•

Stallings, William, and Lawrie Brown. Computer Security: Principles and Practice, Global Edition, Pearson Education Limited, 2017. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID=5573665.

Reading List

• Vacca, John R.. Cyber Security and IT Infrastructure Protection, Elsevier Science & Technology Books, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID =1377640. • Vacca, John R.. Cyber Security and IT Infrastructure Protection, Elsevier Science & Technology Books, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID =1377640. • Lowe, Doug (2010) Networking for Dummies. 9th Ed. New york: Wiley Publishing LTD

LO2:Understand, at a strategic level, how computer web applications and software can networking, be exploited. 2.1: Evaluate the link between network architecture and security engineering concepts.

Security Engineering

Security engineering is about building systems to remain dependable in the face of malice, error, or mischance. As a discipline, it focuses on the tools, processes, and methods needed to design, implement, and test complete systems, and to adapt existing systems as their environment evolves. Security engineering requires cross-disciplinary expertise, ranging from cryptography and computer security through hardware tamper-resistance and formal methods to a knowledge of economics, applied psychology, organizations and the law.

Goals: – Understand Security Risks

Security Engineering

– Establish Security Needs – Develop Security Guidance

– Determine Acceptable Risks – Establish Assurance

Security Engineering Who practices security engineering? • Developers • Product vendors • Integrators • Buyers • Security evaluation organizations • System administrators • Consulting/service organizations

Organizational Context and Security Policy

The discipline of IT security management has evolved considerably over the last few decades. This has occurred in response to the rapid growth of, and dependence on, networked computer systems and the associated rise in risks to these systems. In the last decade a number of national and international standards have been published. These represent a consensus on the best practice in the field. IT security management functions include: • determining organizational IT security objectives, strategies, and policies • determining organizational IT security requirements

Organizational Context and Security Policy (cont) • identifying and analysing security threats to IT assets within the organization

• identifying and analysing risks

• specifying appropriate safeguards

• monitoring the implementation and operation of safeguards that are necessary in order to cost effectively protect the information and services within the organization

• developing and implementing a security awareness program

• detecting and reacting to incidents

Organizational Context and Security Policy

• The initial step in the IT security management process comprises an examination of the organization’s IT security objectives, strategies, and policies in the context of the organization’s general risk profile. This can only occur in the context of the wider organizational objectives and policies, as part of the management of the organization. Organizational security objectives identify what IT security outcomes should be achieved. They need to address individual rights, legal requirements, and standards imposed on the organization, in support of the overall organizational objectives. Organizational security strategies identify how these objectives can be met

Organizational Context and Security Policy The responsibilities of this engineer include: • Oversight of the IT security management process • Liaison with senior management on IT security issues

• Maintenance of the organization’s IT security objectives, strategies, and policies • Coordination of the response to any IT security incidents • Management of the organization-wide IT security awareness and training programs • Interaction with IT project security officers

Security Risk Assessment Given the wide range of organizations, from very small businesses to global multinationals and national governments, there clearly needs to be a range of alternatives available in performing this process. There are a range of formal standards that detail suitable IT security risk assessment processes, including [ISO13335], [ISO27005], and [NIST12]. In particular, [ISO13335] recognizes four approaches to identifying and mitigating risks to an organization’s IT infrastructure: • Baseline approach • Informal approach • Detailed risk analysis • Combined approach

Security Risk Assessment

Detailed Security Risk Analysis

The formal, detailed security risk analysis approach provides the most accurate evaluation of an organization’s IT system’s security risks, but at the highest cost. The recommended rating it gave for a trusted computer system depended on difference between the minimum user clearance and the maximum information classification. Specifically it defined a risk index as Risk Index = Max Info Sensitivity - Min User Clearance

Identification of Threats/Risks/Vulnerabilities The goal of this stage is to identify potentially significant risks to the assets listed. This requires answering the following questions for each asset: • 1 Who or what could cause it harm? • 2 How could this occur? Threat Identification Answering the first of these questions involves identifying potential threats to assets. In the broadest sense, a threat is anything that might hinder or prevent an asset from providing appropriate levels of the key security services: confidentiality, integrity, availability, accountability, authenticity, and reliability

Identification of Threats/Risks/Vulnerabilities Vulnerability Identification Answering the second of above questions, “How could this occur?” involves identifying flaws or weaknesses in the organization’s IT systems or processes that could be exploited by a threat source. This will help determine the applicability of the threat to the organization and its significance. Analyse Risks Having identified key assets and the likely threats and vulnerabilities they are exposed to, the next step is to determine the level of risk each of these poses to the organization. Risk = (Probability that threat occurs) * (Cost to organization)

Analyse Existing Controls Before the likelihood of a threat can be specified, any existing controls used by the organization to attempt to minimize threats need to be identified.

Assessing the level of Risk

Determine Resulting Level of Risk: Once the likelihood and consequence of each specific threat have been identified, a final level of risk can be assigned. This is typically determined using a table that maps these values to a risk level, such as those shown in Table 14.4. This table details the risk level assigned to each combination. Such a table provides the qualitative equivalent of performing the ideal risk calculation using quantitative values. It also indicates the interpretation of these assigned levels.

Assessing the level of Risk

Security Engineering Risk Management • Risk acceptance: Choosing to accept a risk level greater than normal for business reasons. This is typically due to excessive cost or time needed to treat the • Risk avoidance: Not proceeding with the activity or system that creates this risk. This usually results in loss of convenience or ability to perform some function that is useful to the organization. The loss of this capability is traded off against the reduced risk profile. • Risk transfer: Sharing responsibility for the risk with a third party. This is typically achieved by taking out insurance against the risk occurring, by entering into a contract with another organization, or by using partnership or joint venture structures to share the risks and costs should the threat eventuate.

Security Engineering Risk Management

• Reduce consequence: By modifying the structure or use of the assets at risk to reduce the impact on the organization should the risk occur. This could be achieved by implementing controls to enable the organization to quickly recover should the risk occur. Examples include implementing an off-site backup process, developing a disaster recovery plan, or arranging for data and processing to be replicated over multiple sites. • Reduce likelihood: By implementing suitable controls to lower the chance of the vulnerability being exploited. These could include technical or administrative controls such as deploying firewalls and access tokens, or procedures such as password complexity and change policies. Such controls aim to improve the security of the asset, making it harder for an attack to succeed by reducing the vulnerability of the asset.

Reading List • Morgan, Steve. “Global Cybercrime Damages Predicted to Reach $6 Trillion Annually by 2021.” Cybercrime Magazine. Dec. 7, 2018. https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/.

• Truta, Filip, Paul Vallee, Bill Ho, Roy Horev, Richi Jennings, and Michael Vizard. “Average Cost of a Cyberattack Now Exceeds $1 Million, Research Shows.” Security Boulevard. January 17, 2019. https://securityboulevard.com/2019/01/average-costof-a-cyberattack-now-exceeds-1-million-research-shows/. • Lowe, Doug, and Lowe. Networking, John Wiley & Sons, Incorporated, 2009. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID=477807. • Stallings, William, and Lawrie Brown. Computer Security: Principles and Practice, Global Edition, Pearson Education Limited, 2017. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID=5573665.

Reading List

• Stallings, William, and Lawrie Brown. Computer Security: Principles and Practice, Global Edition, Pearson Education Limited, 2015. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID=517 4367. • Vacca, John R.. Cyber Security and IT Infrastructure Protection, Elsevier Science & Technology Books, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID=137 7640. • Vacca, John R.. Cyber Security and IT Infrastructure Protection, Elsevier Science & Technology Books, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID=137 7640.

• Lowe, Doug (2010) Networking for Dummies. 9th Ed. New york: Wiley Publishing LTD

LO3 Understand methods of security prevention and systems hardening.

• 3.1: Evaluate internal risks and exposure.

• 3.2: Evaluate available process and physical defences against malicious network intrusions.

Importance of Network Security

➢Even in the friendliest office environment, some information is and should be confidential. If this information is stored on the network, it should be stored it in a directory that’s available only to authorized users. ➢ Not all security breaches are malicious. A network user may be routinely scanning through his or her files and come across a filename that isn’t familiar. The user may then call up the file, only to discover that it contains confidential personnel information, juicy office gossip, or someone’s résumé. Curiosity, rather than malice, is often the source of security breaches.

Why Network Security

Sure, everyone at the office is trustworthy now. However, what if someone becomes disgruntled, a screw pops loose, and he or she decides to trash the network files before jumping out the window? What if someone decides to print a few $1,000 checks before packing off to Tahiti? Sometimes the mere opportunity for fraud or theft can be too much for some people to resist. Give people free access to the payroll files, and they may decide to vote themselves a raise when no one is looking.

➢ Even though it is thought that the network doesn’t contain any data that’s worth stealing, think again. For example, someones personnel records probably contain more than enough information for an identity thief: names, addresses, phone numbers, social security numbers, and so on. Also, customer files may contain their credit card numbers.

Why Network Security?

➢ Hackers who break into the network may be looking to plant a Trojan horse program on the server, which enables them to use the server for their own purposes. For example, someone may use the server tosend thousands of unsolicited spam email messages. The spam won’t be traced back to the hackers; it’ll be traced back to the host computer. ➢ Not everyone on the network knows enough about how Windows and the network work to be trusted with full access to the network’s data and systems. A careless mouse click can wipe out a directory of network files. One of the best reasons for activating the network’s security features is to protect the network from mistakes made by users who don’t know what they’re doing.

Intruders One of the key threats to security is the use of some form of hacking by an intruder, often referred to as a hacker or cracker. Verizon [VERI16] indicates that 92% of the breaches they investigated were by outsiders, with 14% by insiders, and with some breaches involving both outsiders and insiders. They also noted that insiders were responsible for a small number of very large dataset compromises. Both Symantec [SYMA16] and Verizon [VERI16] also comment that not only is there a general increase in malicious hacking activity, but also an increase in attacks specifically targeted at individuals in organizations and the IT systems they use. This trend emphasizes the need to use defence-in-depth strategies, since such targeted attacks may be designed to bypass perimeter defences such as firewalls and network-based Intrusion detection systems (IDSs).

• Cyber criminals: Are either individuals or members of an organized crime group with a goal of financial reward. To achieve this, their activities may include identity theft, theft of financial credentials, corporate espionage, data theft, or data ransoming. Typically, they are young, often Eastern Europeans.

Types of Intruders

• Activists: Are either individuals working as insiders, or members of a larger group of outsider attackers, who are motivated by social or political causes. They are also known as hacktivists, and their skill level may be quite low. The aim of their attacks is often to promote and publicize their cause, typically through website defacement, denial of service attacks, or the theft and distribution of data that results in negative publicity or compromise of their targets. Well-known recent examples include the activities of the groups Anonymous and LulzSec, and the actions of Chelsea (born Bradley) Manning and Edward Snowden.

Types of Intruders • State-sponsored organizations: Are groups of hackers sponsored by governments to conduct espionage or sabotage activities. They are also known as Advanced Persistent Threats (APTs), due to the covert nature and persistence over extended periods involved with many attacks in this class. Recent reports such as [MAND13], and information revealed by Edward Snowden, indicate the widespread nature and scope of these activities by a wide range of countries from China and Russia to the USA, UK, and their intelligence allies. •Others: Are hackers with motivations other than those listed above, including classic hackers or crackers who are motivated by technical challenge or by peergroup esteem and reputation. Many of those responsible for discovering new categories of buffer overflow vulnerabilities [MEER10] could be regarded as members of this class. In addition, given the wide availability of attack toolkits, there is a pool of “hobby hackers” using them to explore system and network security, who could potentially become recruits for the above classes

What is INTRUSION?

THE FOLLOWING TERMS ARE RELEVANT TO OUR DISCUSSION:

SECURITY INTRUSION: UNAUTHORIZED ACT OF BYPASSING THE SECURITY MECHANISMS OF A SYSTEM.

INTRUSION DETECTION: A HARDWARE OR SOFTWARE FUNCTION THAT GATHERS AND ANALYSES INFORMATION FROM VARIOUS AREAS WITHIN A COMPUTER OR A NETWORK TO IDENTIFY P POSSIBLE SECURITY INTRUSIONS.

Intrusion Detection System

An Intrusion Detection System comprises three logical components:

1. Sensors: Sensors are responsible for collecting data. The input for a sensor may be any part of a system that could contain evidence of an intrusion. Types of input to a sensor includes network packets, log files, and system call traces. Sensors collect and forward this information to the analyser.

Intrusion Detection System 2. Analysers: Analysers receive input from one or more sensors or from other analysers. The analyser is responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. The output may include evidence supporting the conclusion that an intrusion occurred. The analyser may provide guidance about what actions to take as a result of the intrusion. The sensor inputs may also be stored for future analysis and review in a storage or database component.

Intrusion Detection System

3. User interface: The user interface to an IDS enables a user to view output from the system or control the behavior of the system. In some systems, the user interface may equate to a manager, director, or console comp An IDS may use a single sensor and analyzer, such as a classic HIDS on a host or NIDS in a firewall device. More sophisticated IDSs can use multiple sensors, across a range of host and network devices, sending information to a centralized analyzer and user interface in a distributed architecture.

IDSs are often classified based on the source and type of data analyzed, as:

INTRUSION

• Host-based IDS (HIDS) : Monitors the characteristics of a single host and the events occurring within that host, such as process identifiers and the system calls they make, for evidence of suspicious activity. • Network-based IDS (NIDS) : Monitors network traffic for particular network segments or devices and analyses network, transport, and application protocols to identify suspicious activity. • Distributed or hybrid IDS: Combines information from a number of sensors, often both host and network-based, in a central analyser that is able to better identify and respond to intrusion activity.

ANALYSIS APPROACHES TO DETECT INTRUSION

IDSs typically use one of the following alternative approaches to analyse sensor data to detect intrusions: 1. Anomaly detection : Involves the collection of data relating to the behaviour of legitimate users over a period of time. Then, current observed behaviour is analysed to determine with a high level of confidence whether this behaviour is that of a legitimate user or alternatively that of an intruder.

ANALYSIS APPROACHES TO DETECT INTRUSION

• 2. Signature or Heuristic detection : Uses a set of known malicious data patterns (signatures) or attack rules (heuristics) that are compared with current behaviour to decide if it is that of an intruder. It is also known as misuse detection. This approach can only identify known attacks for which it has patterns or rules. In essence, anomaly approaches aim to define normal, or expected, behaviour, in order to identify malicious or unauthorized behaviour. Signature or heuristic-based approaches directly define malicious or unauthorized behaviour. They can quickly and efficiently identify known attacks. However, only anomaly detection is able to detect unknown, zero-day attacks, as it starts with known good behaviour and identifies

HOST-BASED INTRUSION DETECTION

• Host-based IDSs (HIDSs) add a specialized layer of security software to vulnerable or sensitive systems; such as database servers and administrative systems. The HIDS monitors activity on the system in a variety of ways to detect suspicious behavior. In some cases, an IDS can halt an attack before any damage is done, as we will discuss in Section 9.6, but its main purpose is to detect intrusions, log suspicious events, and send alerts.

HOST-BASED INTRUSION DETECTION

• The primary benefit of a HIDS is that it can detect both external and internal intrusions, something that is not possible either with network-based IDSs or firewalls. As we discussed in the previous section, host-based IDSs can use either anomaly or signature and heuristic approaches to detect unauthorized behaviour on the monitored host. We now review some common data sources and sensors used in HIDS, continue with a discussion of how the anomaly, signature and heuristic approaches are used in HIDS, then consider distributed HIDS.

Architecture for Distributed Intrusion Detection

Network Security • Two Approaches to Security When planning how to implement security on your network, first consider which of two basic approaches to security you’ll take: • ✓ An open-door type of security, in which you grant everyone access to everything by default and then place restrictions just on those resources to which you want to limit access. • ✓ A closed-door type of security, in which you begin by denying access to everything and then grant specific users access to the specific resources that they need. In most cases, the open-door policy is easier to implement. Typically, only a small portion of the data on a network really needs security, such as confidential employee records, or secrets, such as the Coke recipe. The rest of the information on a network can be safely made available to everyone who can access the network.

Physical Security: Locking Doors THE FIRST LEVEL OF SECURITY IN ANY COMPUTER NETWORK IS PHYSICAL SECURITY.

FOR EXAMPLE, A COMPUTER ON THE RECEPTION OF AN ACCOUNTING FIRM IS LEFT UNATTENDED. OFTEN, THE RECEPTIONIST HAS LOGGED ON TO THE SYSTEM AND THE

CLIENT COMPUTERS SHOULD BE PHYSICALLY SECURE:

✓ INSTRUCT USERS TO NOT LEAVE THEIR COMPUTERS UNATTENDED WHILE THEY’RE LOGGED ON.

✓ IN HIGH-TRAFFIC AREAS (SUCH AS THE RECEPTIONIST’S DESK), USERS SHOULD SECURE THEIR COMPUTERS WITH THE KEYLOCK, IF THE COMPUTER HAS ONE.

✓ USERS SHOULD LOCK THEIR OFFICE DOORS WHEN THEY LEAVE.

Physical Security: Locking Doors

Physical security is important for workstations but vital for servers. Any good hacker can quickly defeat all but the most paranoid security measures if they can gain physical access to a server. To protect the server, follow these guidelines: ✓Lock the computer room. ✓Give the key only to people you trust. ✓Keep track of who has the keys. ✓Mount the servers on cases or racks that have locks. ✓Disable the floppy drive on the server. A common hacking technique is to boot the server from a floppy, thus bypassing the security features of the network operating system.

Physical Security: Locking Doors

Here are some other threats to physical security that could be considered: ✓ The nightly cleaning crew usually has access to the whole facility. One of them might have a day job with competitors ✓For the best security, every piece of paper that leaves your building via the trash bin should first go through a shredder. ✓ Store the backup tapes securely in a fireproof safe and keep a copy off-site, too. ✓ Every unused port on a hub or a switch represents an open door to your network. The hubs and switches should be secured just like the servers.

Securing User Account Next to physical security, the careful use of user accounts is the most important type of security for the network. Properly configured user accounts can prevent unauthorized users from accessing the network, even if they gain physical access to the network. The following sections describe some of the steps to strengthen the network’s use of user accounts. Obfuscating your usernames most network administrators assign usernames based on some combination of the user’s first and last name, such as BarnyM or baMiller . However, a hacker can easily guess such a user ID if he or she knows the name of at least one employee. After the hacker knows a username, he or she can focus on breaking the password. A hacker can slowed down by using names that are more obscure.

Securing User Account Using passwords wisely One of the most important aspects of network security is the use of passwords. Usernames aren’t usually considered secret. Even if obscure names are used, casual hackers can eventually figure them out. Passwords, on the other hand, are top secret. The network password is the one thing that keeps an impostor from logging on to the network by using the username and therefore receiving the same access rights that someone ordinarily have. Protection of the password is vitally important.

Securing User Account Secure the Administrator account It stands to reason that at least one network user must have the authority to use the network without any of the restrictions imposed on other users. This user is the administrator. The administrator is responsible for setting up different user accounts. To do that, the administrator must be exempt from all security restrictions. Many networks automatically create an administrator user account when you install the network software. The username and password for this initial administrator are published in the network’s documentation and are the same for all networks that use the same network operating system.

Managing User Security User accounts are the backbone of network security administration. Through the use of user accounts, administrator can determine who can access the network as well as what network resources each user can and can’t access. Restriction can be imposed access to the network to just specific computers or to certain hours of the day. In addition, users who no longer need to access to the network can be locked out.

Basics of Setting up Security Networks

The following sections describe the basics of setting up user security for the network. User accounts Every user who accesses a network must have a user account. User accounts allow the network administrator to determine who can access the network and what network resources each user can access. In addition, the user account can be customized to provide many convenience features for users, such as a personalized Start menu or a display of recently used documents.

Basics of Setting up Security Networks Built-in accounts Most network operating systems come preconfigured with two built-in accounts, Administrator and Guest. In addition, some server services, such as Web or database servers, create their own user accounts under which to run. User rights User accounts and passwords are the front line of defense in the game of network security. After a user accesses the network by typing a valid user ID and password, the second line of security defense — rights — comes into play.

Permissions (who gets what)

Basics of Setting up Security Networks

User rights control what a user can do on a network-wide basis. Permissions enable you to fine-tune your network security by controlling access to specific network resources, such as files or printers, for individual users or groups. For example, you can set up permissions to allow users into the accounting department to access files in the server’s \ACCTG directory. Permissions can also enable some users to read certain files but not modify or delete them.

Basics of Setting up Security Networks Group accounts A group account is an account that doesn’t represent an individual user. Instead, it represents a group of users who use the network in a similar way. Instead of granting access rights to each of these users individually, rights can be assigned to the group and then assign individual users to the group. User profiles User profiles are a Windows feature that keeps track of an individual user’s preferences for his or her Windows configuration. For a non-networked computer, profiles enable two or more users to use the same computer, each with his or her own desktop settings, such as wallpaper, colors, Start menu options, and so on.

Basics of Setting up Security Networks

Hardening of Network Most of the network are connected to the Internet so that a network’s users could get out to the Internet. However, the Internet connection is a two-way street. Not only does it enable the network’s users to step outside the bounds of the network to access the Internet, but it also enables others to step There are three basic techniques for securing the network’s Internet connection: controlling access via a firewall, detecting viruses with antivirus software, and fixing security flaws with software patches. in and access the network.

Hardening of Network Firewalls A firewall is a security-conscious router that sits between the Internet and the network with a singleminded task: preventing them from getting to us. The firewall acts as a security guard between the Internet and the local-area network (LAN). All network traffic into and out of the LAN must pass through the firewall, which prevents unauthorized access to the network.

Hardening of Network

Antivirus programs The best way to protect a network from virus infection is to use an antivirus program. These programs have a catalogue of several thousand known viruses that they can detect and remove. In addition, they can spot the types of changes that viruses typically make to a computer’s files, thus decreasing the likelihood that some previously unknown virus will go undetected.

Patching Things Up

Hardening of Network

One of the annoyances that every network manager faces is applying software patches to keep the operating system and other software up to date. A software patch is a minor update that fixes the small glitches that crop up from time to time, such as minor security or performance issues. These glitches aren’t significant enough to merit a new version of the software, but they’re important enough to require fixing. Most of the patches correct security flaws that computer hackers have uncovered in their relentless attempts to prove that they are smarter than the security programmers at Microsoft or Novell.

Safe computing

Hardening of Network

Besides using an antivirus program, users can take a few additional precautions to ensure virus-free computing. System administrator are to keep the users informed of the safe computing process. It will help them prevent from getting the system infected by taking extra measures by users.

✓Regular data back up can come handy in case of a malicious infection as the data can be permanently lost otherwise.

Virtual private network (VPN) VPN tools are used to authenticate communication between secure networks and an endpoint device. Remote-access VPNs generally use IPsec or Secure Sockets Layer (SSL) for authentication, creating an encrypted line to block other parties from eavesdropping.

Hardening of Network

Web security Including tools, hardware, policies and more, web security is a blanket term to describe the network security measures businesses take to ensure safe web use when connected to an internal network. This helps prevent webbased threats from using browsers as access points to get into the network.

Wireless security Generally speaking, wireless networks are less secure than traditional networks. Thus, strict wireless security measures are necessary to ensure that threat actors aren’t gaining access.

Reading List

Truta, Filip, Paul Vallee, Bill Ho, Roy Horev, Richi Jennings, and Michael Vizard. “Average Cost of a Cyberattack Now Exceeds $1 Million, Research Shows.” Security Boulevard. January 17, 2019. https://securityboulevard.com/2019/01/average-cost-of-acyberattack-now-exceeds-1-million-research-shows/. Lowe, Doug, and Lowe. Networking, John Wiley & Sons, Incorporated, 2009. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID=477807.

Reading List • Stallings, William, and Lawrie Brown. Computer Security: Principles and Practice, Global Edition, Pearson Education Limited, 2015. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID=5174367. • Vacca, John R.. Cyber Security and IT Infrastructure Protection, Elsevier Science & Technology Books, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID=1377640. • Vacca, John R.. Cyber Security and IT Infrastructure Protection, Elsevier Science & Technology Books, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/lsbuuk/detail.action?docID=1377640. • Lowe, Doug (2010) Networking for Dummies. 9th Ed. New york: Wiley Publishing LTD

LO4 Understand key network security and systems resilience tools, terminology and models.

4.1: Explain how key security concepts can be applied in a large and distributed organisation. 4.2: Assess how key factors are applied to enhance and embed an holistic approach to network and systems resilience.

The Importance of Network Security and Resiliency

• Network security has filtered to the top of the list of business goals at many companies. Although security was always important, it has become even more important as networks become indispensable and as tools for breaking into networks become ubiquitous. • Enterprises must protect their networks from both the unsophisticated “script kiddies” and from more advanced attacks launched by criminals or political enemies. There is also a continued requirement to protect networks from Trojan horses and viruses.

The Importance of Network Security and Resiliency

Many enterprise managers now report that the network must be available 99.999 percent of the time.

Although this goal might not be achievable without expensive redundancy in staff and equipment, it might be a reasonable goal for companies that would experience a severe loss of revenue or credibility if the network were down for even short periods of time.

The Importance of Network Security and Resiliency

When security and operational problems occur, networks must recover quickly.

Networks must be resilient. More than ever, IT and business managers require high-availability and resiliency features for their network equipment and protocols, as they realize the extent to which network downtime can jeopardize business success.

The Importance of Network Security and Resiliency In the current business environment, security and disaster recovery should be considered with every network design choice, and the network designer must propose solutions that provide resiliency and stability. A systematic and modular design process, as taught in this book, is even more important than it once was, as networks become increasingly more complex and vital to an organization’s success.

RESILIENCY GOALS System resiliency, like security, is a concern at multiple levels in an organization. The four system resiliency goals, which are common to many resilience definitions, are included in the definition and the conceptual framework to provide linkage between risk management decisions at the mission/business process level and at the system level with those at the organizational level.

Organizational risk management strategies Organizational risk management strategies can use the network resiliency goals and associated strategies to incorporate resiliency

1.Anticipate: Maintain a state of informed preparedness for adversity.

3.Recover: Restore mission or business functions during and after adversity.

2.Withstand: Continue essential mission or business functions despite adversity.

4. Adapt: Modify mission or business functions and/or supporting capabilities to predicted changes in the technical, operational, or threat environments.

NETWORK RESILIENCY TECHNIQUES AND APPROACHES

ADAPTIVE RESPONSE: IMPLEMENT AGILE COURSES OF ACTION TO MANAGE RISKS;

ANALYTIC MONITORING: MONITOR AND ANALYSE A WIDE RANGE OF PROPERTIES AND BEHAVIOURS ON AN ONGOING BASIS AND IN A COORDINATED WAY;

CONTEXTUAL AWARENESS: CONSTRUCT AND MAINTAIN CURRENT REPRESENTATIONS OF THE POSTURE OF MISSIONS OR BUSINESS FUNCTIONS CONSIDERING THREAT EVENTS AND COURSES OF ACTION;

COORDINATED PROTECTION: ENSURE THAT PROTECTION MECHANISMS OPERATE IN A COORDINATED AND EFFECTIVE MANNER;

NETWORK RESILIENCY TECHNIQUES AND APPROACHES

Mislead Deception: Mislead, confuse, hide critical assets from, or expose covertly

Use

Positioning

Generate and retain

Diversity: Use heterogeneity to minimize common mode failures, particularly threat events exploiting common vulnerabilities;tainted assets to the adversary;

Dynamic Positioning: Distribute and dynamically relocate functionality or system resources;

Non-Persistence: Generate and retain resources as needed or for a limited time;

NETWORK RESILIENCY TECHNIQUES AND APPROACHES

Privilege Restriction: Restrict privileges based on attributes of users and system elements as well as on environmental factors;

Realignment: Align system resources with current organizational mission or business function needs to reduce risk; Redundancy: Provide multiple protected instances of critical resources;

NETWORK RESILIENCY TECHNIQUES AND APPROACHES

• Segmentation: Define and separate system elements based on criticality and trustworthiness;

• Substantiated Integrity: Ascertain whether critical system elements have been corrupted; and • Unpredictability: Make changes randomly or unpredictably.

SYSTEM RESILIENCY IN PRACTICE 1 SELECTING AND PRIORITIZING CYBER RESILIENCY CONSTRUCTS The variety of concerns, technologies, and practices related to network resiliency results in an extensive framework for network resiliency engineering. For example, the engineering framework identifies fourteen system resiliency techniques and nearly fifty cyber resiliency implementation approaches

2 ANALYTIC PRACTICES AND PROCESSES

SYSTEM RESILIENCY IN PRACTICE

In the context of systems security engineering, resiliency analysis is intended to determine whether the resiliency properties and behaviours of a system-of-interest, regardless of its system life cycle stage, are sufficient for the organization using that system to meet its mission assurance, business continuity, or other security requirements in a threat environment that includes the APT.

Disaster recovery

Network services are critical to ensuring uninterrupted internal and external communication and data sharing within an organization. A network infrastructure can be disrupted by any number of disasters, including fire, flood, earthquake, hurricane, carrier issues, hardware or software malfunction or failure, human error, and cybersecurity incidents and attacks.

Disaster recovery

Any interruption of network services can affect an organization's ability to access, collect or use data and communicate with staff, partners and customers. Interruptions put business continuity(BC) and data at risk and can result in huge customer service and public relations problems. A contingency plan for dealing with any sort of network interruption is vital to an organization's survival. Bellow are few recovery tools : 1.

Backing up Data,

Backup Software

Having data backed up is the cornerstone of any disaster recovery plan. Without backups, a simple hard drive failure can set your company back days or even weeks while it tries to reconstruct lost data. In fact, without backups, your company’s very existence is in jeopardy.

Backing Up Data

The main goal of backups is simple: Keep a spare copy of your network’s critical data so that, no matter what happens, you never lose more than one day’s work. The stock market may crash, hanging chads may factor into another presidential election, and George Lucas may decide to make a preprequel. However, you never lose more than one day’s work if you stay on top of your backups.

Backup Software • All versions of Windows come with a built-in backup program. In addition, most tape drives come with backup programs that are often faster or more flexible than the standard Windows backup. You can also purchase sophisticated backup programs that are specially designed for networks that have multiple servers with data that must be backed up. For a basic Windows file server, you can use the backup program that comes with Windows Server. Server versions of Windows come with a decent backup program that can run scheduled, unattended tape backups.

Types of Backups The differences among the fives types of backup involve a little technical detail known as the archive bit. The archive bit indicates whether a file has been modified since the last time it was backed up. The archive bit is a little flag that’s stored along with the filename, creation date, and other directory information. Any time that a program modifies a file, the archive bit is set to the On position. That way, backup programs know that the file has been modified and needs to be backed up.

Types of Backups Followings are the types of Backups:

1. Copy Backup

2. Daily Backup

3.Incremental backup

4. differential backup

5. Normal Backup

Data Protection in the Cloud

There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Unlinking a record from a larger context may render it unrecoverable, as can storage on unreliable media. Loss of an encoding key may result in effective destruction. Finally, unauthorized parties must be prevented from gaining access to sensitive data. The threat of data compromise increases in the cloud, due to the number of, and interactions between, risks and challenges that are either unique to the cloud or more dangerous because of the architectural or operational characteristics of the cloud environment.

Data Protection in the Cloud Business continuity and disaster recovery comprise measures and mechanisms to ensure operational resiliency in the event of any service interruptions. This is an area where the CSP, because of economies of scale, can offer obvious benefits to a cloud service client. The CSP can provide backup at multiple locations, with reliable failover and disaster recovery facilities. This service must include a flexible infrastructure, redundancy of functions and hardware, monitored operations, geographically distributed data centers, and network survivability.

Data Protection in the Cloud

Network security consists of security services that allocate access, distribute, monitor, and protect the underlying resource services. Services include perimeter and server firewalls and denial-of-service protection. Many of the other services listed in this section, including intrusion management, identity and access management, data loss protection, and Web security, also contribute to the network security service.

Security Modules The security module for OpenStack is Keystone. Keystone provides the shared security services essential for a functioning cloud computing infrastructure. It provides the following main services: • Identity: This is user information authentication. This information defines a user’s role and permissions within a project, and is the basis for a role-based access control (RBAC) mechanism. Keystone supports multiple methods of authentication, including user name and password, Lightweight Directory Access Protocol (LDAP), and a means of configuring external authentication methods supplied by the CSC. • Token: After authentication, a token is assigned and used for access control. OpenStack services retain tokens and use them to query Keystone during operations.

Security Modules

• Service catalogue: OpenStack service endpoints are registered with Keystone to create a service catalogue. A client for a service connects to Keystone and determines an endpoint to call based on the returned catalogue.

• Policies:

Security Modules

This service enforces different user access levels. Each OpenStack service defines the access policies for its resources in an associated policy file. A resource, for example, could be API access, the ability to attach to a volume, or to fire up instances. These policies can be modified or updated by the cloud administrator to control the access to the various resources.