Network Security

Introduction
Computer systems and computer networks are complex entities. They combine
hardware and software components to create a system that can perform operations and
calculations beyond the capabilities of humans. From the integration of communication
devices, storage devices, processing devices, security devices, input devices, output
devices, operating systems, software, services, data, and people, emerge computers and
networks.
The first networks allowed communication between a central computer and
remote terminals. Telephone lines were used, (they allowed a fast and economic transfer
of the data). Existing procedures and protocols were used to establish communication
and modulators and demodulators were incorporated.
There is a difference between a computer network and a communications
network.
A computer network is a set of equipment connected through cables, signals,
waves or any other method of data transport, which share information (files), resources
(CD-ROM, printers, etc.), services (access to the internet, mail, chat, games).
A communications network is a set of technical means that allow remote
communication between autonomous teams (non-hierarchical -master / slave-),
normally it is about transmitting data, audio and video by electromagnetic waves through
various means (air, vacuum, copper cable, fiber optic cable, etc.).
To simplify the communication between applications of different equipment, ISO
was the one that defined the OSI model, which was specified 7 different layers. Each layer
develops a specific function with a defined scope. The TCP / IP model is a protocol model
because it describes the functions that occur in each layer of protocols within the TCP /
IP set.
Less than 10 years ago, most people didn’t even know what the Internet or email
was. To take a further step back, most of the people did not even have computers at work
or home, and some even questioned their usefulness. Things have changed.

Network Security
Cole, E., Krutz, R. and Conley, J. (2009 p 21) Define that Network security spans a
large number of disciplines, ranging from management andpolicy topics to operating
system kernel fundamentals. Historically, the coverage of these and the other network
security areas was presented in multiple, specialized publications or given a high-level
treatment that was not suited to the practitioner. Network Security Bible, 2nd Edition
approaches network security from the view of the individual who wants to learn and
apply the associated network security best practices without having to sort through a
myriad of extraneous material from multiple sources. The information provided in this
text includes ‘‘secrets’’ learned by practicing professionals in the field of network security
through many years of real-world experience.
Having a clear vision of what network security is, we must begin to define what
are the IDS-IPS
Intrusion Detection and Prevention Systems
Chapple, M., Stewart, J. and Gibson, D. (2018 p. 1213), state detection and
prevention methods change to adapt to new attacks. Intrusion detection systems (IDSs)
and intrusion prevention systems (IPSs) are two methods organizations typically
implement to detect and prevent attacks.
An intrusion occurs when an attacker can bypass or thwart security mechanisms
and gain access to an organization’s resources. Intrusion detection is a specific form of
monitoring that monitors recorded information and real-time events to detect abnormal
activity indicating a potential incident or intrusion. An intrusion detection system (IDS)
automates the inspection of logs and real-time system events to detect intrusion
attempts and system failures. Because an IPS includes detection capabilities, you’ll often
see them referred to as intrusion detection and prevention systems (IDPSs).
Firewall
(Maymi, 2018 p. 646) explains that Firewalls are used to restrict access to one
network from another network. Most companies use firewalls to restrict access to their
networks from the Internet. They may also use firewalls to restrict one internal network
segment from accessing another internal segment. For example, if the security
administrator wants to make sure employees cannot access the research and
development network, he would place a firewall between this network and all other
networks and configure the firewall to allow only the type of traffic he deems acceptable.
A firewall may be a server running a firewall software product or a specialized
hardware appliance. It monitors packets coming into and out of the network it is
protecting. It can discard packets, repackage them, or redirect them, depending upon the
firewall configuration

Prevention and Detection

Cole, E. (2002 p. 25) emphasizes that to have a secure site, companies must
realize that there are two pieces: prevention and detection. Most companies concentrate
their efforts on prevention and forget about detection. For example, on average, more
than 90 percent of large companies have firewalls installed, which are meant to address
the prevention issue. The problem, however, is twofold. First, a company cannot prevent
all traffic, so some will get through, possibly an attack. Second, most prevention
mechanisms that companies put in are either not designed or not configured correctly,
which means they are providing minimal protection if any.

Methods of Attacks
There are many different kinds of attacks, they can be generally grouped into a
handful of classifications or categories.
These are the common or well-known classes of attacks or attack methodologies:
Brute force and dictionary, Denial of service, Spoofing, Man-in-the-middle attacks,
Spamming, Sniffers, and Crackers.
Denial of Service (DOS)
Cole, E. (2002 p. 204) states that A Denial of Service attack (DOS) is an attack
through which a person canrender a system unusable or significantly slow down the
system for legitimate users by overloading the resources so no one else can access it.
(Chapple, Stewart and Gibson, 2018 p. 927) explains that there are two basic
forms of denial of service:
Attacks exploiting a vulnerability in hardware or software. This exploitation of a
weakness, error, or standard feature of software intends to cause a system to hang,
freeze, consume all system resources, and so on. The end result is that the victimized
computer is unable to process any legitimate tasks.
In either case, the victim has been denied the ability to perform normal
operations (services).
Types of Denial of Service Attacks
Cole, E. (2002 p. 210-233) mention that types of DOS attacks:
• Ping of Death
• SSPing
• Land
• Smurf
• SYN Flood
• CPU Hog
• Win Nuke
• RPC Locator
• Jolt2
• Bubonic
• Microsoft Incomplete TCP/IP Packet Vulnerability
• HP Openview Node Manager SNMP DOS Vulnerability
• Netscreen Firewall DOS Vulnerability
 • Checkpoint Firewall DOS Vulnerability.
Some of these attacks have been around for a while, however, they are included
because they cover very important concepts of how DOS attacks work, and they give us
an idea of the range of services or protocols that can be attacked, to cause a Denial of
Service attack. We will explain one of these attacks.
Ping of Death
A Denial of Service attack that involves sending a very large ping packet to a host
machine.
Exploit Details
Name: Ping of Death
Operating System: Most Operating Systems
Protocols/Services: ICMP Ping
The ping of death attack is a category of network-level attacks against hosts with
the goal of denying service to that host. A perpetrator sends a large ping packet to the
victim’s machine. Because most operating systems do not know what to do with a packet
that is larger than the maximum size, it causes most operating systems to either hang or
crash. For example, this causes the blue screen of death in Microsoft Windows.
Protocol Description
Cole, E. (2002 p. 210) suggests that Ping of death uses large Internet Control
Message Protocol (ICMP) or ping packets to cause a Denial of Service attack against a
given system
Detailed Description
The TCP/IP specification (the basis for many protocols used on the Internet) allows
for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a
minimum of 20 octets of IP header information and 0 or more octets of optional
information, with the remainder of the packet consisting of data. It is known that some
systems will react in an unpredictable fashion when receiving oversized IP packets.
Reports indicate a range of reactions including crashing, freezing, and rebooting.
Source Code/Pseudo Code
Most operating systems come with a version of ping as part of the standard
operating system. Based on this fact, it is very easy to perform an attack using this
program because all the tools needed are already installed by default. For example, from
a Windows machine, an attacker would open up a DOS window and issue this command:
Ping -l 65527 [followed by the IP address of the victims machine]
Flow Chart of DOS attack prevention

Suraparaju V (2019) Flow chart for proposed DDoS attack mitigation algorithm.
How to Protect Against DOS attacks
DOS attacks are difficult to protect against because we can never totally eliminate
the threat. If we are connected to the Internet, there is always a chance that an attacker
may send too much data than we are not able to process. (Chapple, Stewart and Gibson,
2018 p 928-929) explain that they exist Countermeasures and safeguards against these
attacks:

 Add firewalls, routers, and intrusion detection systems (IDSs) that detect DoS
traffic and automatically block the port or filter out packets based on the source
or destination address.
 Maintain good contact with your service provider in order to request filtering
services when a DoS occurs.
 Disable echo replies on external systems.
 Disable broadcast features on border systems.
 Block spoofed packets from entering or leaving your network.
 Keep all systems patched with the most current security updates from vendors.
 Consider commercial DoS protection/response services like CloudFlare’s DDoS
mitigation or Prolexic. These can be expensive, but they are often effective.
Brute Force and Dictionary
 Brute force
Cole, E., Krutz, R. and Conley, J. (2009 p. 134) Explain that Brute-force password
guessing means using a random approach by trying different passwords and hoping at
one works. Some logic can be applied by trying passwords related to the person’s name,
job title, hobbies, or similar items.
Dictionary attack
Cole, E., Krutz, R. and Conley, J. (2009 p 134) Describe that A dictionary attack is
one in which a dictionary of common passwords is used in an attempt to gain access to a
user’s computer and network. One approach is to copy an encrypted file that contains
the passwords and, applying the same encryption to a dictionary of commonly used
passwords, compare the results. This type of attack can be automated.

Types of Brute Force Attacks

Petters, J. (2018). What is a Brute Force Attack? Definition | Varonis. [online]
Inside Out Security. Available at: https://www.varonis.com/blog/brute-force-attack/
[Accessed 29 Sep. 2019]. Explain that The most basic brute force attack is a dictionary
attack, where the attacker works through a dictionary of possible passwords and tries
them all. Dictionary attacks start with some assumptions about common passwords to
try to guess from the list in the dictionary. These attacks tend to be somewhat outdated,
given newer and more effective techniques.
Recent computers manufactured within the last 10ish years can brute force crack
an 8 character alphanumeric password – capitals and lowercase letters, numbers, and
special characters – in about two hours. Computers are so fast that they can brute force
decrypt a weak encryption hash in mere months. These kinds of brute force attacks are
known as an exhaustive key search, where the computer tries every possible combination
of every possible character to find the right combination.
Flow Chart Brute Force attack
 P. Mohanty (2019) Flowchart of secret signature detection process through
Brute-force attack.
Motives Behind Brute Force Attacks

Brute force attacks occur in the early stages of the cyber kill chain, typically during
the reconnaissance and infiltration stages. Attackers need access or points of entry into
their targets, and brute force techniques are a “set it and forget it” method of gaining
that access. Once they have entry into the network, attackers can use brute force
techniques to escalate their privileges or to run encryption downgrade attacks.

How to Defend Against Brute Force Attacks

 Increase password length

 Limit login attempts
 Use multi-factor authentication
 password policy creation
 Create security campaigns for users
Spoofing Attacks
Chapple, M., Stewart, J. and Gibson, D. (2018 p 1051) define that Spoofing (also
known as masquerading) is pretending to be something, or someone, else. There is a wide
variety of spoofing attacks. As an example, an attacker can use someone else’s credentials
to enter a building or access an IT system In an IP spoofing attack, attackers replace a
valid source IP addresswith a false one to hide their identity or to impersonate a trusted
system.
Types of Spoofing Attacks
 Cole, E. (2002 p.123) mention that types of Spoofing Attacks:

 Ip Spoofing
 Email Spoofing
 Web Spoofing
 Non-technical Spoofing
 ARP Spoofing
 DNS Spoofing
 Man in the middle
There are various types of spoofing, each with various levels of difficulty. In its
most basic form, an attacker alters his identity so that someone thinks he is someone
else. We will explain one of these attacks.
Man in the midle attack
Cole, Krutz and Conley, (2009 p 130) state that A man-in-the-middle attack
involves attackers injecting themselves in the middle of communications — for example,
attacker A, substituting his or her public key for that of another person, P. Then, anyone
wanting to send an encrypted message to P using P’s public key is unknowingly using A’s
public key. Therefore, A can read the message intended for P. A can then send the
message on to P, encrypted in P’s real public key, and P will never be the wiser

Current Situation of the attack

Hidayatullah, S. (2019). Man in the middle attack prevention strategies. [online]
ComputerWeekly.com. Available at: https://www.computerweekly.com/tip/Man-in-the-
middle-attack-prevention-strategies [Accessed 28 Sep. 2019]. Mention that Possible at
the Intranet and Internet levels, a man in the middle attack is one of the most common
and dangerous kinds of attacks. In such attacks, you may not even realize that you are
affected since the attack is more or less passive in nature.
Protection against Man-in-the-Middle Attacks
(Hidayatullah, 2019) Explain that detecting a man in the middle attack can be very
difficult. In this case, prevention is better than cure, since there are very few methods to
detect these attacks. Typically, you should not use public networks for working on any
confidential matters (or even for checking your personal emails). It's best to use the public
network only for basic purposes like surfing news; even if your traffic is intercepted, the
damage is limited or nil.
To avoid internal man in the middle attacks you can set up an intrusion detection
system (IDS). The IDS will basically monitor your network, and if someone tries to hijack
traffic flow, it gives immediate alerts. However, the downside of IDS is that it may raise
false attack alerts many a times. This leads to users disabling the IDS.
The Attacker’s Process
There are many ways an attacker can gain access or exploit a system. No matter
which way an attacker goes about it, there are some basic steps that are followed:
1. Passive reconnaissance.
2. Active reconnaissance (scanning).
3. Exploiting the system: Gaining access through the following attacks: the
Operating system attacks, Application-level attacks, Scripts, and the sample program
attack, Misconfiguration attacks o Elevating of privileges o Denial of Service
4. Uploading programs.
5. Downloading Data.
6. Keeping access by using the following: Backdoors or Trojan horses.
7. Covering tracks.

Hackers Motive, Opportunity, and Means

Maymi, F. (2018 p. 1046) to understand the “whys” in crime, it is necessary to
understand the motive, opportunity, and means—or MOM.
Motive is the “who” and “why” of a crime. The motive may be induced by either
internal orexternal conditions. A person may be driven by the excitement, challenge, and
adrenaline rush of committing a crime, which would be an internal condition. A person
may be driven by the excitement, challenge, and adrenaline rush of committing a crime,
which would be an internal condition. Examples of external conditions might include
financial trouble, a sick family member, or other dire straits
 Opportunity is the “where” and “when” of a crime. Opportunities usually arise
when certain vulnerabilities or weaknesses are present. If a company does not have a
firewall, hackers and attackers have all types of opportunities within that network. If a
company does not perform access control, auditing, and supervision, employees may
have many opportunities to embezzle funds and defraud the company.
Means pertains to the abilities a criminal would need to be successful. Suppose a
crime fighter was asked to investigate a complex embezzlement that took place within a
financial institution. If the suspects were three people who knew how to use a mouse,
keyboard, and a word processing application, but only one of them was a programmer
and system analyst, the crime fighter would realize that this person may have the means
to commit this crime much more successfully than the other two individuals.

What Should Companies Be Doing?

Cole, E. (2002 p. 24) suggests that question is definitely an excellent start, but
companies need to change their mindset and put security in the picture. Security is one
of those measures that if you wait until you need it, it’s too late. Also, in most cases, a
small percentage of exploits account for a large number of security breaches. Therefore,
by providing some level of protection, you can increase your security tremendously
against the opportunistic hacker.

Security Awareness
Cole, E., Krutz, R. and Conley, J. (2009 p. 77) remarks that In terms of validating
and making people aware of the policy, three core pieces go together:

 Policy — Specifies what to do

 Training — Provides the skill for performing it
 Awareness — Changes behavior so everyone understands the importance
of the policy
Senior management has the obligation to ensure that the employees of an
organization are aware of their responsibilities in protecting that organization’s
computers and networks from compromise. Similarly, employees should be diligent in
their everyday work habits and embrace good information system security practices.
Security awareness refers to the collective consciousness of an organization’s employees
relative to security controls and the application of these controls to the protection of the
organization’s critical and sensitive information.
 Bibliography references

Cole, E., Krutz, R. and Conley, . Network security bible. 2nd ed. Indianapolis, Ind.: Wiley
Pub.
Cole, E. (2002). Hackers beware. 1st ed. Indianapolis, Ind.: New Riders
Chapple, M., Stewart, J. and Gibson, D. (2018). (ISC)2 CISSP Certified Information
Systems Security Professional Official Study Guide. 8th ed. Hoboken: John Wiley &
Sons, p.927.
Maymi, F. (2018). CISSP All-In-One Exam Guide, Eighth Edition. 8th ed. New York:
McGraw-Hill Education

Hidayatullah, S. (2019). Man in the middle attack prevention strategies. [online]

ComputerWeekly.com. Available at: https://www.computerweekly.com/tip/Man-in-
the-middle-attack-prevention-strategies [Accessed 28 Sep. 2019].

Veenadhari Suraparaju (2019) https://www.researchgate.net/figure/Flow-chart-for-

proposed-DDoS-attack-mitigation-algorithm_fig5_309466519 [Accessed 28 Sep. 2019].

PETTERS, J. (2018). What is a Brute Force Attack? Definition | Varonis. [online] Inside
Out Security. Available at: https://www.varonis.com/blog/brute-force-attack/
[Accessed 29 Sep. 2019].