AS IV

SEC 3302, Advanced IS Security 1

Course Learning Outcomes for Unit IV Upon completion of this unit, students should be able to:

1. Analyze access controls used to secure information systems (IS). 1.1 Explore best practices for controlling access to data and systems.

2. Examine encryption types used for the physical security protection of an organization.

2.1 Explain the general principles of security for a network. Required Unit Resources Chapter 4: Secure Networks In order to access the following resource, click the link below. You can access the transcript for the video by clicking on the three dots below the video on the right, then clicking “Open transcript.” Professor Messer. (2021, April 7). Secure networking - SY0-601 CompTIA Security+ : 3.3 [Video]. YouTube.

https://www.youtube.com/watch?v=Nj_VF6tuBpw Unit Lesson

Principles of Secure Networks Today, employees bring their own electronic devices to work, use personal hot spots, and tether their cellphones to laptops. How do you keep your corporate network secure in light of all this? It should be noted that network security, like information technology (IT) security, has to constantly adapt in response to challenges such as these. As attackers learn more ways of exploiting weaknesses, security has to learn ways to protect its infrastructure. Basically, as technology improves, security has to keep up. Chapter 4 covers some of the attacks that occur on networks. It also discusses defenses against these attacks. We cannot cover them all in this lesson, but they are important to learn, so please read the chapter. You are also encouraged to research further into the topic to learn more. While the previous unit addressed protecting communications through the use of cryptography, this unit is more concerned with how networks themselves are maliciously attacked. Messages in modern telecommunications can be attacked both through their means of conveyance and through the route they take. A secure network environment must be created that will prevent these attacks. The principles of availability, confidentiality, functionality, and access control should be utilized to effectuate this security, as described in the textbook.

UNIT IV STUDY GUIDE Securing Networks

SEC 3302, Advanced IS Security 2

UNIT x STUDY GUIDE Title

Because access control is so important, we will return to that subject in Chapter 5. For now, let’s jump right into some of the attacks that networks encounter and how they work. Denial-of-Service (DoS) Attacks One consideration when securing a network is that security involves more than just intruders. Securing a network requires a balance between keeping your system and data secure and allowing users the access they need. As mentioned above, the first goal of a secure network is availability. Authorized users have to be able to access their data, services, and applications. Availability can be affected by conditions like poor coding or the complications that arise when a large site links to a small site and overwhelms the smaller site. But there are also intentional attacks that impact access. One of the most well-known is the DoS attack, which can grind a system to a halt and cause an enormous amount of financial damage. DoS attacks operate by stopping a service, such as a web service, or by degrading service. A service- degrading attack can be especially damaging because it cannot be easily identified. A slow degradation of services may not even be immediately recognized as an attack and may cause damage for a long time before being discovered. Even worse, the entity who is attacked may spend valuable resources upgrading systems unnecessarily when they see that their service is not allowing sufficient and reliable access to customers. DoS attacks can be direct or indirect. They may utilize tactics such as flooding, spoofing, or backspatter, and they may do their damage through the use of intermediaries, bots, and handlers. These concepts are covered in your readings and should be reviewed.

SEC 3302, Advanced IS Security 3

UNIT x STUDY GUIDE Title

Unlike other system attacks, DoS and distributed DoS (DDoS) attacks do not focus on stealing

information or other assets. Instead, these attacks are intended to prevent legitimate users from accessing servers and services by flooding the servers with more traffic than they are set up to

handle so that they become more and more sluggish until they are either unable to respond or they crash from the overload. DoS attacks may originate from one machine or system; for DDoS attacks,

multiple systems attack the target, as illustrated in the graphic above. Defending against DoS attacks can be tricky, even when the attacks are detected. We have some tactics that can get the system out of trouble, though each tactic has its strengths and weaknesses. One defense, known as blackholing, drops all of the Internet Protocol (IP) packets from an attacker. While this will stop traffic, the attacker can simply change IP addresses and restart the attack. Even worse, if an attacker knows blackholing will be done automatically, they can spoof the attack packets from a known, legitimate corporate partner— which will cut off that desired traffic. Other tactics to fight DoS attacks include validating the handshake and rate limiting, which involves limiting a certain type of traffic to a reasonable amount. Unfortunately, rate limiting can have the unintended impact of limiting legitimate as well as illegitimate traffic. Address Resolution Protocol (ARP) Poisoning ARP poisoning is an attack that is specific to local area network (LAN) traffic. For the attack to work, the attacker must have a computer on the local network. ARP tables are manipulated to reroute LAN traffic, which effectuates an attack on both network confidentiality and functionality. In contrast, remember that DoS attacks are an attack on the availability of a network. The attack works by taking advantage of the fact that hosts on the same network have to know each other before they can start exchanging packets using IP addresses. Hosts thereby build ARP tables, and after validation, the hosts trust all ARP replies. This opens the door for spoofing, allowing the attacker to manipulate the tables and create false entries for internal hosts and gateways. The stream of spoofed ARP replies have to be continuous to keep the tables from self-correcting. ARP poisoning can be prevented using methods like static ARP tables, which involves manually setting tables that cannot be dynamically updated. A weakness with this method is that business changes will require a huge amount of work to manage static ARP and IP tables. Another method would simply be to limit local access by preventing foreign hosts from operating on the LAN. This is a form of network access control, which we will now discuss further.

SEC 3302, Advanced IS Security 4

UNIT x STUDY GUIDE Title

Access Controls Corporate LANs require protection to ensure confidentiality of data sent across the network, but they must also provide access controls so that only authorized users are allowed on the network. In modern companies, an intruder can access wired LANs from a wall jack or Ethernet wires, and wireless LANs can be accessed by radio through an unprotected wireless access point. After gaining this access, an intruder can use a packet sniffer to detect, intercept, and read traffic. To prevent this from happening, access controls must be utilized in both wired (Ethernet) networks and wireless networks. Ethernet LAN security utilizes standards such as 802.1X (port-based access control), extensible authentication protocol (EAP), and radius servers—each of which functions in different ways and contains different authorization, audit, and authentication features. These standards and protocols are detailed in your Chapter 4 readings. Wireless networks are often attacked using one of three major attack forms:

1. unauthorized access to the network; 2. an attack using an “evil twin,” which is also known as a man-in-the-middle attack; or 3. wireless DoS attacks, which are similar to the DoS attacks we discussed earlier in that their main aim

is to negatively impact the availability of a network. These attacks prevent the host from accessing a wireless network by utilizing tactics such as flooding the frequency with electromagnetic interference (EMI) or radio frequency interference (RFI). These tactics make data packets unreadable due to “noise,” or disturbances in the electrical signal. Another method is to flood the access point (AP), which would result in the AP using all of its resources to send and receive attack packets and thereby effectively deny access to any other host. Lastly, attack commands can be sent to APs or clients that result in a continuous stream of spoofed messages, request-to-send (RTS) frames, or clear-to-send (CTS) frames that prevent clients from connecting to the AP.

Conclusion As we stated at the beginning of the lesson, there are clear goals that must be determined when considering how to secure a networking environment. These goals consist of availability, confidentiality, access control, and functionality. When dealing with common attacks, such as DoS, ARP poisoning, and attacks on wired and wireless LANs, one must keep these goals in mind.

SEC 3302, Advanced IS Security 1

Course Learning Outcomes for Unit IV Upon completion of this unit, students should be able to:

1. Analyze access controls used to secure information systems (IS). 1.1 Explore best practices for controlling access to data and systems.

2. Examine encryption types used for the physical security protection of an organization.

2.1 Explain the general principles of security for a network. Required Unit Resources Chapter 4: Secure Networks In order to access the following resource, click the link below. You can access the transcript for the video by clicking on the three dots below the video on the right, then clicking “Open transcript.” Professor Messer. (2021, April 7). Secure networking - SY0-601 CompTIA Security+ : 3.3 [Video]. YouTube.

https://www.youtube.com/watch?v=Nj_VF6tuBpw Unit Lesson

Principles of Secure Networks Today, employees bring their own electronic devices to work, use personal hot spots, and tether their cellphones to laptops. How do you keep your corporate network secure in light of all this? It should be noted that network security, like information technology (IT) security, has to constantly adapt in response to challenges such as these. As attackers learn more ways of exploiting weaknesses, security has to learn ways to protect its infrastructure. Basically, as technology improves, security has to keep up. Chapter 4 covers some of the attacks that occur on networks. It also discusses defenses against these attacks. We cannot cover them all in this lesson, but they are important to learn, so please read the chapter. You are also encouraged to research further into the topic to learn more. While the previous unit addressed protecting communications through the use of cryptography, this unit is more concerned with how networks themselves are maliciously attacked. Messages in modern telecommunications can be attacked both through their means of conveyance and through the route they take. A secure network environment must be created that will prevent these attacks. The principles of availability, confidentiality, functionality, and access control should be utilized to effectuate this security, as described in the textbook.

UNIT IV STUDY GUIDE Securing Networks

SEC 3302, Advanced IS Security 2

UNIT x STUDY GUIDE Title

Because access control is so important, we will return to that subject in Chapter 5. For now, let’s jump right into some of the attacks that networks encounter and how they work. Denial-of-Service (DoS) Attacks One consideration when securing a network is that security involves more than just intruders. Securing a network requires a balance between keeping your system and data secure and allowing users the access they need. As mentioned above, the first goal of a secure network is availability. Authorized users have to be able to access their data, services, and applications. Availability can be affected by conditions like poor coding or the complications that arise when a large site links to a small site and overwhelms the smaller site. But there are also intentional attacks that impact access. One of the most well-known is the DoS attack, which can grind a system to a halt and cause an enormous amount of financial damage. DoS attacks operate by stopping a service, such as a web service, or by degrading service. A service- degrading attack can be especially damaging because it cannot be easily identified. A slow degradation of services may not even be immediately recognized as an attack and may cause damage for a long time before being discovered. Even worse, the entity who is attacked may spend valuable resources upgrading systems unnecessarily when they see that their service is not allowing sufficient and reliable access to customers. DoS attacks can be direct or indirect. They may utilize tactics such as flooding, spoofing, or backspatter, and they may do their damage through the use of intermediaries, bots, and handlers. These concepts are covered in your readings and should be reviewed.

SEC 3302, Advanced IS Security 3

UNIT x STUDY GUIDE Title

Unlike other system attacks, DoS and distributed DoS (DDoS) attacks do not focus on stealing

information or other assets. Instead, these attacks are intended to prevent legitimate users from accessing servers and services by flooding the servers with more traffic than they are set up to

handle so that they become more and more sluggish until they are either unable to respond or they crash from the overload. DoS attacks may originate from one machine or system; for DDoS attacks,

multiple systems attack the target, as illustrated in the graphic above. Defending against DoS attacks can be tricky, even when the attacks are detected. We have some tactics that can get the system out of trouble, though each tactic has its strengths and weaknesses. One defense, known as blackholing, drops all of the Internet Protocol (IP) packets from an attacker. While this will stop traffic, the attacker can simply change IP addresses and restart the attack. Even worse, if an attacker knows blackholing will be done automatically, they can spoof the attack packets from a known, legitimate corporate partner— which will cut off that desired traffic. Other tactics to fight DoS attacks include validating the handshake and rate limiting, which involves limiting a certain type of traffic to a reasonable amount. Unfortunately, rate limiting can have the unintended impact of limiting legitimate as well as illegitimate traffic. Address Resolution Protocol (ARP) Poisoning ARP poisoning is an attack that is specific to local area network (LAN) traffic. For the attack to work, the attacker must have a computer on the local network. ARP tables are manipulated to reroute LAN traffic, which effectuates an attack on both network confidentiality and functionality. In contrast, remember that DoS attacks are an attack on the availability of a network. The attack works by taking advantage of the fact that hosts on the same network have to know each other before they can start exchanging packets using IP addresses. Hosts thereby build ARP tables, and after validation, the hosts trust all ARP replies. This opens the door for spoofing, allowing the attacker to manipulate the tables and create false entries for internal hosts and gateways. The stream of spoofed ARP replies have to be continuous to keep the tables from self-correcting. ARP poisoning can be prevented using methods like static ARP tables, which involves manually setting tables that cannot be dynamically updated. A weakness with this method is that business changes will require a huge amount of work to manage static ARP and IP tables. Another method would simply be to limit local access by preventing foreign hosts from operating on the LAN. This is a form of network access control, which we will now discuss further.

SEC 3302, Advanced IS Security 4

UNIT x STUDY GUIDE Title

Access Controls Corporate LANs require protection to ensure confidentiality of data sent across the network, but they must also provide access controls so that only authorized users are allowed on the network. In modern companies, an intruder can access wired LANs from a wall jack or Ethernet wires, and wireless LANs can be accessed by radio through an unprotected wireless access point. After gaining this access, an intruder can use a packet sniffer to detect, intercept, and read traffic. To prevent this from happening, access controls must be utilized in both wired (Ethernet) networks and wireless networks. Ethernet LAN security utilizes standards such as 802.1X (port-based access control), extensible authentication protocol (EAP), and radius servers—each of which functions in different ways and contains different authorization, audit, and authentication features. These standards and protocols are detailed in your Chapter 4 readings. Wireless networks are often attacked using one of three major attack forms:

1. unauthorized access to the network; 2. an attack using an “evil twin,” which is also known as a man-in-the-middle attack; or 3. wireless DoS attacks, which are similar to the DoS attacks we discussed earlier in that their main aim

is to negatively impact the availability of a network. These attacks prevent the host from accessing a wireless network by utilizing tactics such as flooding the frequency with electromagnetic interference (EMI) or radio frequency interference (RFI). These tactics make data packets unreadable due to “noise,” or disturbances in the electrical signal. Another method is to flood the access point (AP), which would result in the AP using all of its resources to send and receive attack packets and thereby effectively deny access to any other host. Lastly, attack commands can be sent to APs or clients that result in a continuous stream of spoofed messages, request-to-send (RTS) frames, or clear-to-send (CTS) frames that prevent clients from connecting to the AP.

Conclusion As we stated at the beginning of the lesson, there are clear goals that must be determined when considering how to secure a networking environment. These goals consist of availability, confidentiality, access control, and functionality. When dealing with common attacks, such as DoS, ARP poisoning, and attacks on wired and wireless LANs, one must keep these goals in mind.