MODULE 5

PRINCIPLES OF NETWORK SECURITY

SUBTOPIC 1

Who is Attacking Our Network?

Threat, Vulnerability, and Risk

 Threat
 Potential danger to an asset such as data or the network.
 Vulnerability and Attack Surface
 Weakness in a system or its design that could be exploited by a threat.
 Attack surface describes different points where an attacker could get into a system and
could get to the data (Example – operating system without security patches)
 Exploit
 Mechanism used to leverage a vulnerability to compromise an asset.
 Remote – works over the network.
 Local – threat actor has user or administrative access to the end system.
 Risk
 Likelihood that a threat will exploit a vulnerability of an asset and result in an undesirable
consequence.

There are four common ways to manage risk:

 Risk acceptance - This is when the cost of risk management options outweighs the cost of the risk
itself.
 Risk avoidance - This is an action that avoids any exposure to the risk.
 Risk limitation - This limits a company’s risk exposure by taking some action.
 Risk transfer - The risk is transferred to a willing third party such as an insurance company.

Other commonly used network security terms include:

 Countermeasure - The protection solution that mitigates a threat or risk
 Impact - The resulting damage to the organization that is caused by the threat.

Note: A local exploit requires inside network access such as a user with an account on the network. A
remote exploit does not require an account on the network to exploit that network’s vulnerability.

Hacker vs. Threat Actor

 White Hat Hackers

 Ethical hackers who use their programming skills for good, ethical, and legal purposes.
 Perform penetration tests to discover vulnerabilities and report to developers before
exploitation.
 Grey Hat Hackers
  Commit crimes and do unethical things but not for personal gain or to cause damage.
 May compromise network and then disclose the problem so the organization can fix the
problem.
 Black Hat Hackers
 Unethical criminals who violate security for personal gain, or for malicious reasons, such
as attacking networks.

Note: Threat actors is a term used to describe grey and black hat hackers.

Evolution of Threat Actors

 Script Kiddies
 Inexperienced hackers running existing tools and exploits, to cause harm, but typically not
for profit.
 State-Sponsored
 White or black hats who steal government secrets, gather intelligence, and sabotage
networks.
 Targets are foreign governments, terrorist groups, and corporations.
 Cybercriminals
 Black hats stealing billions of dollars from consumers and businesses.
 Hacktivists
 Grey hats who rally and protest against political and social ideas.
 Post articles and videos to leak sensitive information.
 Vulnerability Broker
 Discover exploits and report them to vendors, sometimes for prizes or rewards.

Cybercriminals

 Money-motivated threat actors.

 Buy, sell, and trade exploits, and private information and intellectual property.
 Steal from consumers, small businesses, as well as large enterprises and industries.
 Cybercriminals operate in an underground economy where they buy, sell, and trade exploits and
tools. They also buy and sell the private information and intellectual property they steal from
victims.

Cybersecurity Tasks

 Develop good cybersecurity awareness.

 Report cybercrime to authorities.
 Be aware of potential threats in email and web
 Guard important information from theft.
 Organizations must take action and protect their assets, users, and customers.
 Develop cybersecurity tasks and implement those tasks on a reoccurring basis.

Cyber Threat Indicators

  Each attack has unique identifiable attributes that are known as cyber threat indicators or simply
attack indicators.
 U.S. Department of Homeland Security (DHS) and United States Computer Emergency Readiness
Team (US-CERT) use the Automated Indicator Sharing (AIS) system that enables sharing of verified
attack indicators with public and private sector organizations

Threat Actor Tools

Introduction of Attack Tools

 Attackers use tools to exploit a vulnerability.

 Sophistication of attack tools and technical knowledge to conduct attacks has changed since 1985.

Evolution of Security Tools

 Common Penetration Testing Tools

 Password crackers - guesses to crack the password and access the system.
 Wireless hacking tools - hack into a wireless network to detect security vulnerabilities.
 Network scanning and hacking tools - probe network devices, servers, and hosts for open
ports.
 Packet crafting tools - probe and test a firewall’s robustness using specially crafted forged
packets.
 Packet sniffers - capture and analyze packets within traditional Ethernet LANs or WLANs.
 Rootkit detectors - directory and file integrity checker used by white hats to detect
installed root kits.
 Fuzzers - attempts to discover a computer system’s security vulnerabilities.

 Common Penetration Testing Tools

 Forensic tools - sniff out any trace of evidence existing in a particular computer system.
 Debugger tools - reverse engineer binary files when writing exploits or malware analysis.
 Hacking operating systems - designed operating systems preloaded with tools and
technologies optimized for hacking.
 Encryption tools - use algorithm schemes to encode the data to prevent unauthorized
access to the encrypted data.
 Vulnerability exploitation tools - determine whether a remote host is vulnerable to a
security attack.
 Vulnerability scanners - scan a network or system to identify open ports.

Categories of Attacks

 Common Categories of Network Attacks

 Eavesdropping - capture and listen to network traffic
 Data modification - alter the captured data in the packet without the knowledge
of the sender or receiver.
  IP address spoofing - constructs an IP packet that appears to originate from a valid
address inside the corporate intranet.
 Password-based - uses the stolen valid accounts to obtain lists of other users and
network information.

 Common Categories of Network Attacks

 Denial-of-Service - prevents normal use of a computer or network by valid users.
 Man-in-the-Middle - hackers position themselves between a source and destination to
monitor, capture and control communication.
 Compromised-Key - gain access to a secured communication without the sender or
receiver being aware of the attack by obtaining the secret key.
 Sniffer - an application or device that can read, monitor, and capture network data
exchanges and read network packets.

SUBTOPIC 2

Malware

Types of Malware
The focus of this topic is on threats to end devices such as the threats shown in Figure. End devices
are especially prone to malware attacks. Malware is short for malicious software or malicious code. It is
code or software that is specifically designed to damage, disrupt, steal, or generally inflict some other
“bad” or illegitimate action on data, hosts, or networks. It is important to know about malware because
threat actors and online criminals frequently try to trick users into installing malware to help exploit
security gaps. In addition, malware morphs so rapidly that malware-related security incidents are
extremely common because antimalware software cannot be updated quickly enough to stop the new
threats.

 Malware
 Short for malicious software or malicious code.
 Specifically designed to damage, disrupt, steal or inflict illegitimate action on data hosts
or networks.

Viruses
 Type of malware that propagates by inserting a copy of itself into another program.
 Spread from one computer to another, infecting computers.
 Spread by USB memory drives, CDs, DVDs, network shares and email.
 Can lay dormant and activate at a specific time and date.
 Requires human action to insert malicious code into another program.
 Executes a specific unwanted, and often harmful, function on a computer.

Trojan Horses

 Malicious code that is designed to look legitimate.

  Often found attached to online games.
 Non-replicating type of malware.
 Exploits the privileges of the user that runs the malware.
 Can cause immediate damage, provide remote access to the system, or access through a back
door.

Trojan Horse Classification

 Remote-access Trojan horse - Enables unauthorized remote access.

 Data-sending Trojan horse - Provides the threat actor with sensitive data, such as passwords.
 Destructive Trojan horse - Corrupts or deletes files.
 Proxy Trojan horse - Will use the victim's computer as the source device to launch attacks and
perform other illegal activities.
 FTP Trojan horse - Enables unauthorized file transfer services on end devices.
 Security software disabler Trojan horse - Stops antivirus programs or firewalls from functioning.
 DoS Trojan horse - Slows or halts network activity.

Worms

 Executes arbitrary code and installs itself in the memory of the infected device.
 Automatically replicates itself and spreads across the network from system to system.
 Components of a worm attack include an exploiting vulnerability, delivering a malicious payload,
and self-propagation.
 Virus requires a host program to run, worms can run by themselves.
 Computer worms are similar to viruses because they replicate and can cause the same type of
damage. Specifically, worms replicate themselves by independently exploiting vulnerabilities in
networks. Worms can slow down networks as they spread from system to system.
 Whereas a virus requires a host program to run, worms can run by themselves. Other than the
initial infection, they no longer require user participation. After a host is infected, the worm is able
to spread very quickly over the network.
 Worms are responsible for some of the most devastating attacks on the Internet. As shown in
Figure, in 2001 the Code Red worm had infected 658 servers. Within 19 hours, the worm had
infected over 300,000 servers as shown in Figure
 The initial infection of the SQL Slammer worm, known as the worm that ate the Internet, is shown
in Figure. SQL Slammer was a denial of service (DoS) attack that exploited a buffer overflow bug
in Microsoft's SQL Server. At its peak, the number of infected servers doubled in size every 8.5
seconds. This is why it was able to infect 250,000+ hosts within 30 minutes, as shown in Figure 4.
When it was released on the weekend of January 25, 2003, it disrupted the Internet, financial
institutions, ATM cash machines, and more. Ironically, a patch for this vulnerability had been
released 6 months earlier. The infected servers did not have the updated patch applied. This was
a wake-up call for many organizations to implement a security policy requiring that updates and
patches be applied in a timely fashion.
 Worms share similar characteristics. They all exploit an enabling vulnerability, have a way to
propagate themselves, and they all contain a payload.
Worm Components

 Worm attacks consist of three components:

 Enabling vulnerability - Worm installs itself using an exploit mechanism, such as an email
attachment, an executable file, or a Trojan horse, on a vulnerable system.
 Propagation mechanism - After gaining access to a device, the worm replicates itself and
locates new targets.
 Payload - Any malicious code that results in some action is a payload which is used to
create a backdoor that allows a threat actor access to the infected host or to create a DoS
attack.
 Worms are self-contained programs that attack a system to exploit a known vulnerability. Upon
successful exploitation, the worm copies itself from the attacking host to the newly exploited
system and the cycle begins again. Their propagation mechanisms are commonly deployed in a
way that is difficult to detect.

Ransomware

 Malware that denies access to the infected computer system or its data.
 Cybercriminals demand payment to release the computer system.
 Frequently uses an encryption algorithm to encrypt system files and data, cannot be easily
decrypted.
 Email and malicious advertising are vectors for ransomware campaigns.
 Social engineering is also used, cybercriminals who identify themselves as security technicians call
homes and persuade users to connect to a website that downloads the ransomware to the user’s
computer.

Other Malware

 Modern Malware
 Spyware - Used to gather information about a user and send the information to another
entity without the user’s consent. Can be a system monitor, Trojan horse, Adware,
tracking cookies, and key loggers.
 Adware - Typically displays annoying pop-ups to generate revenue for its author. May
analyze user interests by tracking the websites visited and send pop-up advertising
pertinent to those sites.
 Scareware - Includes scam software which uses social engineering to shock or induce
anxiety by creating the perception of a threat. Generally directed at an unsuspecting user
and attempts to persuade the user to infect a computer by taking action to address the
bogus threat.
 Phishing - Attempts to convince people to divulge sensitive information. Examples include
receiving an email from their bank asking users to divulge their account and PIN numbers.
 Rootkits - Installed on a compromised system. After it is installed, it continues to hide its
intrusion and provide privileged access to the threat actor.
Common Malware Behaviors

 Computers infected with malware often exhibit one or more of the following:
 Appearance of strange files, programs, or desktop icons.
 Antivirus and firewall programs are turning off or reconfiguring settings.
 Computer screen is freezing or system is crashing.
 Emails are spontaneously being sent without your knowledge to your contact list.
 Files have been modified or deleted.
 Increased CPU and/or memory usage.
 Problems connecting to networks.
 Slow computer or web browser speeds.
 Unknown processes or services running.
 Unknown TCP or UDP ports open.
 Connections are made to hosts on the Internet without user action.
 Strange computer behavior.

Common Network Attacks

Types of Network Attacks

 This course classifies attacks in three major categories:

 Reconnaissance
 Access
 Denial of Service

 By categorizing network attacks, it is possible to address types of attacks rather than individual
attacks

Reconnaissance Attacks

 Also known as information gathering, reconnaissance attacks perform unauthorized discovery

and mapping of systems, services, or vulnerabilities.
 Analogous to a thief surveying a neighborhood by going door-to-door pretending to sell
something.
 Called host profiling when directed at an endpoint.
 Recon attacks precede intrusive access attacks or DoS attack and employ the use of widely
available tools.

Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of
systems, services, or vulnerabilities. When directed at an endpoint on the network, such as PCs and
servers, a recon attack is also called host profiling. This is because the attacker can get a profile of the
system including operating system type and version. If a system is not fully patched, the attacker will then
look for known vulnerabilities to exploit. Recon attacks precede intrusive access attacks or DoS attacks,
and often employ the use of widely available tools

Sample Reconnaissance Attacks

 Techniques used by threat actors:

 Perform an information query of a target - Threat actor is looking for initial information
about a target. Tools: Google search, public information from DNS registries using dig,
nslookup, and whois.
 Initiate a ping sweep of the target networks - Threat actor initiates a ping sweep of the
target networks revealed by the previous DNS queries to identify target network
addresses. Identifies which IP addresses are active and creation of logical topology.
 Initiate a port scan of active IP addresses - Threat actor initiates port scans on hosts
identified by the ping sweep to determine which ports or services are available. Port
scanning tools such as Nmap, SuperScan, Angry IP Scanner, and NetScan Tools initiate
connections to the target hosts by scanning for ports that are open on the target
computers.

Access Attacks

 Access attacks exploit vulnerabilities in authentication services, FTP services, and web services to
retrieve data, gain access to systems, or to escalate access privileges.

 There are at least three reasons that threat actors would use access attacks on networks or
systems:
 To retrieve data
 To gain access to systems
 To escalate access privileges

Types of Access Attacks

 Password attack - Threat actors attempt to discover critical system passwords using various
methods such as phishing attacks, dictionary attacks, brute-force attacks, network sniffing, or
using social engineering techniques
 Pass-the-hash - The threat actor already has access to the user’s machine and uses malware to
gain access to the stored password hashes.
 Trust exploitation - Threat actors use a trusted host to gain access to network resources
 Port redirection - This is when a threat actor uses a compromised system as a base for attacks
against other targets.
 Man-in-the-middle attack - The threat actor is positioned in between two legitimate entities in
order to read, modify, or redirect the data that passes between the two parties.
 IP, MAC, DHCP Spoofing - Spoofing attacks are attacks in which one device attempts to pose as
another by falsifying address data.

Social Engineering Attacks

  Type of access attack that attempts to manipulate individuals into performing actions or divulging
confidential information needed to access a network.
 Examples of social engineering attacks include:
• Pretexting - Calls an individual and lies to them in an attempt to gain access to
privileged data. Pretends to need personal or financial data in order to confirm
the identity of the recipient.
• Spam - Use spam email to trick a user into clicking an infected link, or
downloading an infected file.
• Phishing - Common version is the threat actor sends enticing custom-targeted
spam email to individuals with the hope the target user clicks on a link or
downloads malicious code.
• Something for Something (Quid pro quo) - Requests personal information from a
party in exchange for something like a free gift.
• Tailgating - Follows an authorized person with a corporate badge into a badge-
secure location.
• Baiting - Threat actor leaves a malware-infected physical device, such as a USB
flash drive in a public location such as a corporate washroom. The finder finds the
device and inserts it into their computer.
• Visual hacking – Physically observes the victim entering credentials such as a
workstation login, an ATM PIN, or the combination on a physical lock. Also known
as “shoulder surfing”.

Phishing Social Engineering Attacks

 Phishing
 Common social engineering technique that threat actors use to send emails that appear
to be from a legitimate organization (such as a bank)
 Variations include:
• Spear phishing - Targeted phishing attack tailored for a specific individual or
organization and is more likely to successfully deceive the target.
• Whaling – Similar to spear phishing but is focused on big targets such as top
executives of an organization.
• Pharming – Compromises domain name services by injecting entries into local
host files. Pharming also includes poisoning the DNS by compromising the DHCP
servers that specify DNS servers to their clients.
• Watering hole – Determines websites that a target group visits regularly and
attempts to compromise those websites by infecting them with malware that can
identify and target only members of the target group.
• Vishing – Phishing attack using voice and the phone system instead of email.
• Smishing – Phishing attack using SMS texting instead of email.

Strengthening the Weakest Link

 People are typically the weakest link in cybersecurity

 Organizations must actively train their personnel and create a “security-aware culture.”

Denial of Service Attacks

  Typically result in some sort of interruption of service to users, devices, or applications.
 Can be caused by overwhelming a target device with a large quantity of traffic or by using
maliciously formatted packets.
 A threat actor forwards packets containing errors that cannot be identified by the application, or
forwards improperly formatted packets.

DDoS Attacks

 DDoS Attacks
 Compromises many hosts
 Originates from multiple, coordinated sources
 DDoS terms:
 Zombies – Refers to a group of compromised hosts (i.e., agents). These hosts run
malicious code referred to as robots (i.e., bots).
 Bots – Bots are malware designed to infect a host and communicate with a handler
system. Bots can also log keystrokes, gather passwords, capture and analyze packets, and
more.
 Botnet – Refers to a group of zombies infected using self-propagating malware (i.e., bots)
and are controlled by handlers.
 Handlers – Refers to a master command-and-control server controlling groups of
zombies. The originator of a botnet can remotely control the zombies.
 Botmaster – This is the threat actor in control of the botnet and handlers.

Example DDoS Attack

1. The threat actor builds or purchases a botnet of zombie hosts.

2. Zombie computers continue to scan and infect more targets to create more zombies.
3. When ready, the botmaster uses the handler systems to make the botnet of zombies carry out
the DDoS attack on the chosen target.

Buffer Overflow Attack

 The goal is to find a system memory-related flaw on a server and exploit it.
 Exploiting the buffer memory by overwhelming it with unexpected values usually renders the
system inoperable.
 For example:
• Threat actor enters input that is larger than expected by the application running on a
server.
• The application accepts the large amount of input and stores it in memory.
• It consumes the associated memory buffer and potentially overwrites adjacent memory,
eventually corrupting the system and causing it to crash.

Evasion Methods

 Threat actors learned long ago that malware and attack methods are most effective when they
are undetected.
 Some of the evasion methods used by threat actors include encryption and tunneling, resource
exhaustion, traffic fragmentation, protocol-level misinterpretation, traffic substitution, traffic
insertion, pivoting, and rootkits.
 New attack methods are constantly being developed; therefore, network security personnel must
be aware of the latest attack methods in order to detect them.
 MODULE 6
NETWORK ATTACKS: A DEEPER LOOK / PROTECTING THE NETWORK

SUBTOPIC 1

Introduction to Network Monitoring

Network Security Topology

 All networks are targets and need to be secured using a defense-in-depth approach.
 Security analysts must be intimately familiar with normal network behavior because abnormal
network behavior typically indicates a problem.

This requires a defense-in-depth approach. It requires using proven methods and secure
infrastructure consisting of firewalls, intrusion detection systems (IDSs)/intrusion prevention systems
(IPSs), and endpoint security software. These methods and technologies are used to introduce
automated monitoring to the network, creating alerts or even automatically blocking offensive
devices when something goes wrong.

Network Monitoring Methods

 Tools used to help discover normal network behavior include IDS, packet analyzers, SNMP,
NetFlow, and others.
 Traffic information capture methods:
• Network TAPs – Network test access points that forward all traffic including physical layer
errors to an analysis device.
• Port mirroring – enables a switch to copy frames of one or more ports to a Switch Port
Analyzer (SPAN) port connected to an analysis device.
 The day-to-day operation of a network consists of common patterns of traffic flow, bandwidth
usage, and resource access. Together, these patterns identify the normal network behavior.
Security analysts must be intimately familiar with the normal network behavior because abnormal
network behavior typically indicates a problem.

To discover the normal network behavior, network monitoring must be implemented. Various tools
are used to help discover normal network behavior including IDS, packet analyzers, SNMP, NetFlow, and
others.
Network Taps

 A network tap is typically a passive splitting device implemented inline between a device of
interest and the network. A tap forwards all traffic including physical layer errors to an analysis
device.
 Taps are also typically fail-safe, which means if it fails or loses power, traffic between the firewall
and internal router is not affected.

Notice how the tap simultaneously sends both the transmit (TX) data stream from the internal router
and the receive (RX) data stream to the internal router on separate, dedicated channels. This ensures that
all data arrives at the monitoring device in real time. Therefore, network performance is not affected or
degraded by monitoring the connection. Taps are also typically fail-safe, which means if it fails or loses
power, traffic between the firewall and internal router is not affected. Search the internet for information
on NetScout Taps for copper UTP Ethernet, fiber Ethernet, and serial links.

Traffic Mirroring and SPAN

 Port mirroring enables the switch to copy frames of one or more ports to a Switch Port Analyzer
(SPAN) port connected to an analysis device.
 In the figure, the switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the
destination SPAN port G0/1 connecting to an IDS.
 The association between source ports and a destination port is called a SPAN session. In a single
session, one or multiple ports can be monitored.

SPAN terminology includes:

• Ingress traffic - Traffic that enters the switch.
• Egress traffic - Traffic that leaves the switch.
• Source (SPAN) port - Source ports are monitored as traffic entering them is replicated (mirrored)
to the destination ports.
• Destination (SPAN) port - A port that mirrors source ports. Destination SPAN ports often connect
to analysis devices such as a packet analyzer or an IDS.

Traffic Mirroring and SPAN

 Port mirroring enables the switch to copy frames of one or more ports to a Switch Port Analyzer
(SPAN) port connected to an analysis device.
 In the figure, the switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the
destination SPAN port G0/1 connecting to an IDS.
 The association between source ports and a destination port is called a SPAN session. In a single
session, one or multiple ports can be monitored.

Network Security Monitoring Tools

 Monitoring Tools:
• Protocol Analyzers – Are programs used to capture traffic. Ex. Wireshark and Tcpdump.
• NetFlow – Provides a complete audit trail of basic information about every IP flow
forwarded on a device.
• SIEM – Security Information Event Management systems provide real time reporting and
long-term analysis of security events.
• SNMP – Simple Network Management Protocol provides the ability to request and
passively collect information across all network devices.

Log files – It is also common for security analysts to access Syslog log files to read and analyze system
events and alerts.

Network Protocol Analyzers

  Analysts can use protocol analyzers such as Wireshark and tcpdump to see network exchanges
down to the packet level.
 Network protocol analyzers are also very useful for network troubleshooting, software and
protocol development, and education. In security forensics, a security analyst may reconstruct an
incident from relevant packet captures.

NetFlow

 NetFlow is a Cisco IOS technology that provides 24x7 statistics on packets flowing through a Cisco
router or multilayer switch.
 NetFlow can be used for network and security monitoring, network planning, and traffic analysis;
however, it does not capture the content.
 NetFlow collectors like Cisco Stealthwatch can also perform advanced functions including:
• Flow stitching: It groups individual entries into flows.
• Flow deduplication: It filters duplicate incoming entries from multiple NetFlow clients.
• NAT stitching: It simplifies flows with NAT entries.

SIEM

 Security Information Event Management (SIEM) systems provide real time reporting and long-
term analysis of security events.
 SIEM includes the following essential functions:
• Forensic analysis – The ability to search logs and event records from sources throughout
the organization. It provides more complete information for forensic analysis.
• Correlation – Examines logs and events from different systems or applications, speeding
detection of and reaction to security threats.
• Aggregation - Aggregation reduces the volume of event data by consolidating duplicate
event records.
• Reporting - Reporting presents the correlated and aggregated event data in real-time
monitoring and long-term summaries.

SIEM Systems

 Splunk is one of the more popular proprietary SIEM systems used by Security Operation Centers.
 As an open source option, this course uses the ELK suite for SIEM functionality. ELK is an acronym
for three open source products from Elastic:
 Elasticsearch - Document oriented full text search engine
 Logstash - Pipeline processing system that connects "inputs" to "outputs" with optional "filters"
in between
 Kibana - Browser based analytics and search dashboard for Elasticsearch

IP Vulnerabilities and Threats

IPv4 and IPv6

  It is important for security analysts to understand the different fields in both the IPv4 and IPv6
headers because threat actors can tamper with packet information.

The IPv4 Packet Header

 There are 10 fields in the IPv4 packet header:

• Version
• Internet Header length
• Differentiated Services or DiffServ (DS)
• Total length
• Identification, Flag, and Fragment offset
• Time-to-Live (TTL)
• Protocol
• Header checksum
• Source IPv4 Address
• Destination IPv4 Address
• Options and Padding

The IPv6 Packet Header

 There are 8 fields in the IPv4 packet header:

• Version
• Traffic Class
• Flow Label
• Payload Length
• Next Header
• Hop Limit
• Source IPv6 Address
• Destination IPv6 Address

IP Vulnerabilities

There are different types of attacks targeting IP. These are some of the more common IP related attacks:
• ICMP attacks - Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings)
to discover subnets and hosts on a protected network, to generate DoS flood attacks, and to alter
host routing tables.
• DoS attacks - Threat actors attempt to prevent legitimate users from accessing information or
services.
• DDoS attacks - Similar to a DoS attack, but features a simultaneous, coordinated attack from
multiple source machines.
• Address spoofing attacks - Threat actors spoof the source IP address in an IP packet to perform
blind spoofing or non-blind spoofing.
• Man-in-the-middle attack (MITM) - Threat actors position themselves between a source and
destination to transparently monitor, capture, and control the communication.
• Session hijacking - Threat actors gain access to the physical network, and then use an MITM attack
to hijack a session.
ICMP Attacks

 ICMP was developed to carry diagnostic messages and to report error conditions when routes,
hosts, and ports are unavailable. ICMP messages are generated by devices when a network error
or outage occurs.
 Common ICMP messages of interest to threat actors include:
• ICMP echo request and echo reply – This is used to perform host verification and DoS
attacks.
• ICMP unreachable – This is used to perform network reconnaissance and scanning
attacks.
• ICMP mask reply – This is used to map an internal IP network.
• ICMP redirects – This is used to lure a target host into sending all traffic through a
compromised device and create a MITM attack.
• ICMP router discovery – This is used to inject bogus route entries into the routing table of
a target host.

DoS Attacks

 The goal of a Denial of Service (DoS) attack is to prevent legitimate users from gaining access to
websites, email, online accounts, and other services.
 There are two major sources of DoS attacks:
• Maliciously Formatted Packets – Threat actors craft a maliciously formatted packet and
forward it to a susceptible host, causing the host to crash or become extremely slow.
• Overwhelming Quantity of Traffic – Threat actors overwhelm a target network, host, or
application, causing them to crash or become extremely slow.
 A distributed DoS (DDoS) attack combines multiple DoS attacks.

Amplification and Reflection Attacks

 Threat actors often use amplification and reflection techniques to create DoS attacks. The
example in the figure illustrates how an amplification and reflection technique called a Smurf
attack is used to overwhelm a target host:

1. Amplification - The threat actor forwards ICMP echo request messages that contain the source IP
address of the victim to a large number of hosts.

2. Reflection - These hosts all reply to the spoofed IP address of the victim to overwhelm it.

DDoS Attacks

 A DDoS attack is larger in magnitude than a DoS attack because it originates from multiple,
coordinated sources. DDoS attacks introduced new terms such as botnet, handler systems, and
zombie computers.
 A DDoS attack could proceed as follows:
1. The threat actor (botmaster) builds or purchases the use of a botnet of zombie hosts. The
command-and-control (CnC) server communicates with zombies over a covert channel using IRC, P2P,
DNS, HTTP, or HTTPS.
2. Zombie computers continue to scan and infect more targets to create more zombies.
3. When ready, the botmaster uses the handler systems to make the botnet of zombies carry out
the DDoS attack on the chosen target.

Address Spoofing Attacks

 IP address spoofing attacks occur when a threat actor creates packets with false source IP address
information to either hide the identity of the sender or to pose as another legitimate user. The
attacker can then gain access to otherwise inaccessible data or circumvent security
configurations.

TCP and UDP Vulnerabilities

TCP

 TCP segment information appears immediately after the IP header.

 TCP provides the following services:
• Reliable delivery
• Flow control
• Stateful communication

TCP Attacks

 Although the TCP protocol is a connection-oriented and reliable protocol, there are still
vulnerabilities that can be exploited.
 TCP attacks target expected protocol behaviors:
• TCP SYN flood attack
• TCP reset attack
• TCP session hijacking

UDP and UDP Attacks

 UDP is a simple protocol that provides the basic transport layer functions. UDP is commonly used
by DNS, TFTP, NFS, and SNMP. It is also used with real-time applications such as media streaming
or VoIP. UDP is a connectionless transport layer protocol.
 By default, UDP is not protected by any encryption. The lack of encryption allows anyone to look
at the traffic, change it, and send it on to its destination.
 UDP protocol attacks target the lack of protocol behaviors (UDP):
• UDP checksum attack
 • UDP flood attack
• UDP DoS attacks

IP Services

ARP Vulnerabilities

 Hosts broadcast an ARP Request to other hosts on the segment to determine the MAC address of
a host with a particular IP address.
 All hosts on the subnet receive and process the ARP Request.
 The host with the matching IP address in the ARP Request sends an ARP Reply.

However, this feature of ARP also means that any host can claim to be the owner of any IP/MAC they
choose. A threat actor can poison the ARP cache of devices on the local network, creating an MITM attack
to redirect traffic. The goal is to target a victim host and have it change its default gateway to the threat
actor’s device. This positions the threat actor in between the victim and all other systems outside of the
local subnet.

ARP Cache Poisoning

ARP cache poisoning attacks deliberately poison the cache of another computer with spoofed IP address
to MAC address mappings.
• Passive - Threat actors steal confidential information.
• Active - Threat actors modify data in transit or inject malicious data.

DNS Attacks

 DNS servers resolve names to IP addresses and are a major target of attackers. Some DNS exploits
are:
• DNS Open Resolvers (public name servers)
• DNS Stealth Attacks
• DNS Shadowing Attacks – hijacked domains are used to create subdomains which are
used to resolve to malicious web sites
• DNS Tunneling Attacks - hides malicious instructions inside DNS queries and responses

DNS Tunneling

 Threat actors who use DNS tunneling place non-DNS traffic within DNS traffic. This method often
circumvents security solutions. For the threat actor to use DNS tunneling, the different types of
DNS records such as TXT, MX, SRV, NULL, A, or CNAME are altered.
 DNS in the enterprise is sometimes overlooked as a protocol which can be used by botnets.
Because of this, when DNS traffic is determined to be part of an incident, the attack is already
over. It is necessary for the security analyst to be able to detect when an attacker is using DNS
 tunneling to steal data and prevent and contain the attack. To accomplish this, the security analyst
must implement a solution that can block the outbound communications from the infected hosts.

DHCP

 A DHCP attack could result in every host on the network communicating with malicious DNS
servers and gateways. A DHCP spoofing attack creates a rogue DHCP server to serve falsified
information.

A rogue server can provide a variety of misleading information:

• Wrong default gateway - Threat actor provides an invalid gateway or the IP address of its host to
create a MITM attack. This may go entirely undetected as the intruder intercepts the data flow
through the network.
• Wrong DNS server - Threat actor provides an incorrect DNS server address pointing the user to a
malicious website.
• Wrong IP address - Threat actor provides an invalid IP address, invalid default gateway IP address,
or both invalid IP address and default gateway. The threat actor then creates a DoS attack on the
DHCP client

Enterprise Services

HTTP and HTTPS

To investigate web-based attacks, security analysts must have a good understanding of how a
standard web-based attack works. These are the common stages of a typical web attack:
• The victim unknowingly visits a web page that has been compromised by malware.
• The compromised web page redirects the user, often through many compromised servers, to a
site containing malicious code.
• The user visits this site with malicious code and their computer becomes infected. This is known
as drive-by-downloads. When the user visits the site, an exploit kit scans the software running on
the victim’s computer including the OS, Java, or Flash player looking for an exploit in the software.
The exploit kit is often a PHP script and provides the attacker with a management console to
manage the attack.
• After identifying a vulnerable software package running on the victim’s computer, the exploit kit
contacts the exploit kit server to download code that can use the vulnerability to run malicious
code on the victim’s computer.
• After the victim’s computer has been compromised, it connects to the malware server and
downloads a payload. This could be malware, or a file download service that downloads other
malware.
• The final malware package is run on the victim’s computer.

 Browsing the Web is possibly the largest vector of attack. Security analysts should have in depth
knowledge of how web attacks work.
• Malicious iFrames – an iFrame allows a page from a different domain to be opened inline
within the current page. The iFrame can be used to launch malicious code.
• HTTP 302 cushioning – allows a web page to redirect and open in a different URL. Can be
used to redirect to malicious code.
 • Domain shadowing – malicious web sites are created from subdomains created from a
hijacked domain.

Email

Over the past 25 years, email has evolved from a tool used primarily by technical and research
professionals to become the backbone of corporate communications. Each day, more than 100 billion
corporate email messages are exchanged. As the level of use rises, security becomes a greater priority.
The way that users access email today also increases the opportunity for the threat of malware to be
introduced. It used to be that corporate users accessed text-based email from a corporate server. The
corporate server was on a workstation that was protected by the company’s firewall. Today, HTML
messages are accessed from many different devices that are often not protected by the company’s
firewall. HTML allows more attacks because of the amount of access that can sometimes bypass different
security layers.

 Email messages are accessed from many different devices that are often not protected by the
company’s firewall.
• Attachment-based attacks - email with malicious executable files attached.
• Email spoofing - phishing attack where the message appears to come from a legitimate
source.
• Spam email - unsolicited email with advertisements or malicious content.
• Open mail relay server - massive amount of spam and worms can be sent by
misconfigured email servers.
• Homoglyphs – phishing scheme where text characters (hyperlinks) look similar to real text
and links.

Web-Exposed Databases

 Web applications commonly connect to a relational database. Because relational databases often
contain sensitive data, databases are a frequent target for attacks.
• Command injection attacks – insecure code and web application allows OS commands to
be injected into form fields or the address bar.
• XSS Cross-site scripting attacks – insecure server-side scripting where the input is not
validated allows scripting commands to be inserted into user generated forms fields, like
web page comments. This results in visitors being redirected to a malicious website
with malware code.
• SQL injection attacks – insecure server-side scripting allows SQL commands to be inserted
into form fields where the input is not validated.
• HTTP injection attacks – manipulation of html allows executable code to be injected
through HTML div tags, etc.

 These are some ways to prevent or reduce command injection attacks:

• Use the items listed in the OWASP XSS prevention cheat sheet for web application
developers:
• Use an IPS implementation to detect and prevent malicious scripts.
 • Use a web proxy like Cisco Cloud Web Security or Cisco Web Security Appliance to block
malicious sites.
• Use a service such as Cisco OpenDNS to prevent users from navigating to web sites that
are known to be malicious.
• As with all other security measures, be sure to educate end users. Teach them to identify
phishing attacks and notify infosec personnel when they are suspicious of anything
security related.

SUBTOPIC 2

Defense-in-Depth

Assets, Vulnerabilities, Threats

 Cybersecurity risk consists of the following:

• Assets - Anything of value to an organization that must be protected including servers,
infrastructure devices, end devices, and the greatest asset, data.
• Vulnerabilities - A weakness in a system or its design that could be exploited by a threat.
• Threats - Any potential danger to an asset.

Identify Assets

 Many organizations only have a general idea of the assets that need to be protected.
 All the devices and information owned or managed by the organization are the assets.
 Assets constitute the attack surface that threat actors could target.
 Asset management consists of:
• Inventorying all assets.
• Developing and implementing policies and procedures to protect them.
 Identify where critical information assets are stored, and how access is gained to that information.

Further, organizations need to identify where critical information assets are stored, and how
access is gained to that information. Information assets vary, as do the threats against them. For example,
a retail business may store customer credit card information. An engineering firm will store competition-
sensitive designs and software. A bank will store customer data, account information, and other sensitive
financial information. Each of these assets can attract different threat actors who have different skill-
levels and motivations.

Identify Vulnerabilities

 Identifying vulnerabilities includes answering the following questions:

• What are the vulnerabilities?
• Who might exploit the vulnerabilities?
• What are the consequences if the vulnerability is exploited?
 For example, an e-banking system might have the following threats:

• Internal system compromise - The attacker uses the exposed e-banking servers to break into an
internal bank system.
 • Stolen customer data - An attacker steals the personal and financial data of bank customers from
the customer database.
• Phony transactions - An attacker alters the code of the e-banking application and makes
transactions by impersonating a legitimate user.
• Insider attack on the system - A bank employee finds a flaw in the system from which to mount an
attack.
• Data input errors - A user inputs incorrect data or makes incorrect transaction requests.
• Data center destruction - A cataclysmic event severely damages or destroys the data center.

Identify Threats

 Using a defense-in-depth approach to identify assets might include a topology with the following
devices:
• Edge router – first line of defense; configured with a set of rules specifying which traffic
it allows or denies.
• Firewall – A second line of defense; performs additional filtering, user authentication, and
tracks the state of the connections.
• Internal router – a third line of defense; applies final filtering rules on the traffic before it
is forwarded to its destination.

Security Onion and Security Artichoke Approaches

 The security onion analogy illustrates a layered approach to security.

 A threat actor would have to peel away at a network’s defense mechanisms one layer at a time.
 However, with the evolution of borderless networks, a security artichoke is a better analogy.
 Threat actors may only need to remove certain “artichoke leaves” to access sensitive data.
 For example, a mobile device is a leaf that, when compromised, may give the threat actor access
to sensitive information such as corporate email.
 The key difference between security onion and security artichoke is that not every leaf needs to
be removed in order to get at the data.

Security Policies

Business Policy

 Policies provide the foundation for network security by defining what is acceptable.
 Business policies are the guidelines developed by an organization that govern its actions and the
actions of its employees.
 A organization may have several guiding policies:
• Company policies - establish the rules of conduct and the responsibilities of both
employees and employers.
• Employee policies - identify employee salary, pay schedule, employee benefits, work
schedule, vacations, and more.
• Security policies - identify a set of security objectives for a company, define the rules of
behavior for users and administrators, and specify system requirements.

Security Policy
  A comprehensive security policy has a number of benefits:
• Demonstrates an organization’s commitment to security.
• Sets the rules for expected behavior.
• Ensures consistency in system operations, software and hardware acquisition and use,
and maintenance.
• Defines the legal consequences of violations.
• Gives security staff the backing of management.
 A security policy may include one or more of the items shown in the figure.
 An Acceptable Use Policy (AUP) is one of the most common policies and covers what users are
allowed and not allowed to do on the various system components.

As shown in the figure, a security policy may include the following:

• Identification and authentication policy - Specifies authorized persons that can have access to
network resources and identity verification procedures.
• Password policies - Ensures passwords meet minimum requirements and are changed regularly.
• Acceptable use policy (AUP) - Identifies network applications and uses that are acceptable to the
organization. It may also identify ramifications if this policy is violated.
• Remote access policy - Identifies how remote users can access a network and what is accessible
via remote connectivity.
• Network maintenance policy - Specifies network device operating systems and end user
application update procedures.
• Incident handling procedures - Describes how security incidents are handled.

BYOD Policies

 Many organizations support Bring Your Own Device (BYOD), which enables employees to use their
own mobile devices to access company resources.
 A BYOD policy should include:
• Specify the goals of the BYOD program.
• Identify which employees can bring their own devices.
• Identify which devices will be supported.
• Identify the level of access employees are granted when using personal devices.
• Describe the rights to access and activities permitted to security personnel on the device.
• Identify which regulations must be adhered to when using employee devices.
• Identify safeguards to put in place if a device is compromised.

 The following BYOD security best practices help mitigate BYOD risks:
• Password protected access for each device and account.
• Manually controlled wireless connectivity so the device only connects to trusted
networks.
• Keep software updated to mitigate against the latest threats.
• Back up data in case device is lost or stolen.
• Enable “Find my Device” locator services that can remotely wipe a lost device.
• Provide antivirus software.
• Use Mobile Device Management (MDM) software to enable IT teams to implement
security settings and software configurations on all devices that connect to company
networks.
Regulatory and Standard Compliance

 Compliance regulations and standards define what organizations are responsible for providing,
and the liability if they fail to comply.
 The compliance regulations that an organization is obligated to follow depend on the type of
organization and the data that the organization handles.
 Specific compliance regulations will be discussed later in the course.

Access Control Concepts

Communications Security: CIA

 Information security deals with protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction.
 The CIA triad consists of:
• Confidentiality - only authorized entities can access information.
• Integrity - information should be protected from unauthorized alteration.
• Availability - information must be available to the authorized parties who require it, when
they require it.

Access Control Models

 Basic access control models include the following:

• Mandatory access control (MAC) – applies the strictest access control, enabling user
access based on security clearance.
• Discretionary access control (DAC) – allows users to control access to their data as
owners of that data.
• Non-Discretionary access control – access is based on roles and responsibilities; also
known as role-based access control (RBAC).
• Attribute-based access control (ABAC) – access is based on attributes of the resource
accessed, the user accessing it, and environmental factors, such as time of day.
 Another access control model is the principle of least privilege, which states that users should be
granted the minimum amount of access required to perform their work function.
 A common exploit is known as privilege escalation. In this exploit, vulnerabilities in servers or
access control systems are exploited to grant an unauthorized user, or software process, higher
levels of privilege than they should have. After the privilege is granted, the threat actor can access
sensitive information or take control of a system.

AAA Usage and Operation

AAA Operation

 Authentication, Authorization, and Accounting (AAA) is a scalable system for access control.
• Authentication - users and administrators must prove that they are who they say they
are.
 • Authorization - determines which resources the user can access and which operations
the user is allowed to perform.
• Accounting - records what the user does and when they do it.

A network must be designed to control who is allowed to connect to it and what they are allowed
to do when they are connected. These design requirements are identified in the network security policy.
The policy specifies how network administrators, corporate users, remote users, business partners, and
clients access network resources. The network security policy can also mandate the implementation of an
accounting system that tracks who logged in and when and what they did while logged in. Some
compliance regulations may specify that access must be logged, and the logs retained for a set period of
time.

AAA Authentication

 Two common AAA authentication methods include:

• Local AAA Authentication - This method authenticates users against locally stored
usernames and passwords. Local AAA is ideal for small networks.
• Server-Based AAA Authentication – This method authenticates against a central AAA
server that contains the usernames and passwords for all users. Server-based AAA
authentication is appropriate for medium-to-large networks.
 Centralized AAA is more scalable and manageable than local AAA authentication and therefore, it
is the preferred AAA implementation.

 A centralized AAA system may independently maintain databases for authentication,

authorization, and accounting. It can leverage Active Directory or Lightweight Directory Access
Protocol (LDAP) for user authentication and group membership, while maintaining its own
authorization and accounting databases

AAA Accounting Logs

 Accounting provides more security than just authentication.

 AAA servers keep a detailed log of exactly what the authenticated user does on the device.
 The various types of accounting information that can be collected include:
 Network Accounting - captures information such as packet and byte counts.
 Connection Accounting - captures information about all outbound connections.
 EXEC Accounting - captures information about user shells including username, date, start
and stop times, and the access server IP address.
 System Accounting - captures information about all system-level events.
 Command Accounting - captures information about executed shell commands.
 Resource Accounting - captures "start" and "stop" record support for calls that have
passed user authentication.

Information Sources

Network Intelligence Communities

  Threat intelligence organizations such as CERT, SANS, and MITRE offer detailed threat information
that is vital to cybersecurity practices.
 To effectively protect a network, security professionals must stay informed and gain network
intelligence. There are many security organizations which provide network intelligence. They
provide resources, workshops, and conferences to help security professionals. These
organizations often have the latest information on threats and vulnerabilities

Cisco Cybersecurity Reports

 Cisco offers their Cybersecurity Report annually, which provides an update on the state of security
preparedness, expert analysis of top vulnerabilities, factors behind the explosion of attacks using
adware and spam, and more.
 A resource to help security professionals stay abreast of the latest threats is the Cisco Annual
Cybersecurity Report, and the Mid-Year Cybersecurity Report. These reports provide an update
on the state of security preparedness, expert analysis of top vulnerabilities, factors behind the
explosion of attacks using adware and spam, and more.

Security Blogs and Podcasts

 Security blogs and podcasts help cybersecurity professionals understand and mitigate emerging
threats.

Threat Intelligence Services

Cisco Talos

 Threat intelligence services allow the exchange of threat information such as vulnerabilities,
indicators of compromise (IOC), and mitigation and detection techniques.
 The Cisco Talos collects information about active, existing, and emerging threats. Talos then
provides to its subscriber’s comprehensive protection against these attacks and malware.

FireEye

 FireEye is another security company that offers services to help enterprises secure their networks.
 FireEye offers emerging threat information and threat intelligence reports.

Automated Indicator Sharing

 Automated Indicator Sharing (AIS) is program which allows the U.S. Federal Government and the
private sector to share threat indicators.
 AIS creates an ecosystem where, as soon as a threat is recognized, it is immediately shared with
the community.
 The U.S. Department of Homeland Security (DHS) offers a free service called Automated Indicator
Sharing (AIS). AIS enables the real-time exchange of cyber threat indicators (e.g., malicious IP
addresses, the sender address of a phishing email, etc.) between the U.S. Federal Government
and the private sector.
Common Vulnerabilities and Exposures Database

 Common Vulnerabilities and Exposures (CVE) is a database of vulnerabilities that uses a

standardized naming scheme to facilitate the sharing of threat intelligence.

Threat Intelligence Communication Standards

Network organizations and professionals must share information to increase knowledge about
threat actors and the assets they want to access. Several intelligence sharing open standards have evolved
to enable communication across multiple networking platforms. These standards enable the exchange of
cyber threat intelligence (CTI) in an automated, consistent, and machine-readable format.

 Cyber Threat Intelligence (CTI) standards such as STIX and TAXII facilitate the exchange of threat
information by specifying data structures and communication protocols:
• Structured Threat Information Expression (STIX) - specifications for exchanging cyber
threat information between organizations.
• Trusted Automated Exchange of Indicator Information (TAXII) – specification for an
application layer protocol that allows the communication of CTI over HTTPS. TAXII is
designed to support STIX.
 MODULE 7
CRYPTOGRAPHY AND THE PUBLIC KEY INFRASTRUCTURE

SUBTOPIC 1

What is Cryptography?

Securing Communications

▪ Information security concerns protecting network infrastructure devices and securing data as it
travels on the network.
▪ Cryptography helps realize the four objectives of information security:
• Data Confidentiality - only authorized users can read the data.
• Data Integrity - the data has not been altered by unauthorized parties.
• Origin authentication - the data has actually originated at the expected source.
• Non-repudiation – the integrity of the message is irrefutable by the sender.

Cryptology

▪ Cryptology is the science of making and breaking secret codes. There are two disciplines:
• Cryptography –This is the development and use of codes that are used for communicating
privately. Specifically, it is the practice and study of techniques to secure communications.
• Cryptanalysis – This is the breaking of those codes. Specifically, it is the practice and study
of determining and exploiting weaknesses in cryptographic techniques.

Cryptography – Ciphers

▪ A cipher is an algorithm that consists of a series of well-defined steps that can be followed as a
procedure when encrypting and decrypting messages.

The following are types of ciphers that have been used over the years:
▪ Substitution cipher – Substitution ciphers retain the letter frequency of the original message.
▪ Transposition cipher - In transposition ciphers, no letters are replaced; they are simply
rearranged.
▪ Polyalphabetic ciphers - Polyalphabetic ciphers are based on substitution, using multiple
substitution alphabets.

Cryptanalysis – Code Breaking

▪ A number of codes breaking (cryptanalysis) methods exist, such as brute-force, ciphertext, and
known-plaintext, among others.
▪ Several methods are used in cryptanalysis:
• Brute-force - The cryptanalyst tries every possible key knowing that eventually one of them
will work.
 • Ciphertext - The cryptanalyst has the ciphertext of several encrypted messages but no
knowledge of the underlying plaintext.
• Known-Plaintext - The cryptanalyst has access to the ciphertext of several messages and
knows something about the plaintext underlying that ciphertext.
• Chosen-Plaintext - The cryptanalyst chooses which data the encryption device encrypts and
observes the ciphertext output.
• Chosen-Ciphertext - The cryptanalyst can choose different ciphertext to be decrypted and
has access to the decrypted plaintext.
• Meet-in-the-Middle - The cryptanalyst knows a portion of the plaintext and the
corresponding ciphertext.

Keys

▪ With modern technology, security of encryption lies in the secrecy of the keys, not the algorithm.
Two terms that are used to describe keys are:
• Key length - In this course, we will use the term key length.
• Keyspace - This is the number of possibilities that can be generated by a specific key
length.
▪ As key length increases, the keyspace increases exponentially.

Integrity and Authenticity

Cryptographic Hash Functions

▪ Cryptographic hashes are used to verify and ensure data integrity.

▪ Hashing is based on a one-way mathematical function that is relatively easy to compute, but
significantly harder to reverse.
▪ The cryptographic hashing function can also be used to verify authentication.
▪ A hash function takes a variable block of binary data, called the message, and produces a fixed-
length, condensed representation, called the hash.
▪ The resulting hash is also sometimes called the message, digest, or digital fingerprint.
▪ With hash functions, it is computationally infeasible for two different sets of data to come up with
the same hash output.
▪ Every time the data is changed or altered; the hash value also changes.

Cryptographic Hash Operation

▪ Mathematically, the equation h= H(x) is used to explain how a hash algorithm operates.
▪ A cryptographic hash function should have the following properties:
• The input can be any length.
• The output has a fixed length.
• H(x) is relatively easy to compute for any given x.
• H(x) is one way and not reversible.
• H(x) is collision free, meaning that two different input values will result in different hash
values.
MD5 and SHA

▪ Hash functions are used to ensure the integrity of a message. They ensure data has not changed
accidentally or intentionally.
▪ Three well-known hashing algorithms are 128-bit MD5, SHA-1, and SHA-2.
• MD5 with 128-bit digest - A one-way function that produces a 128-bit hashed message.
MD5 is considered to be a legacy algorithm. It is recommended that SHA-2 be used
instead.
• SHA-1 – Very similar to the MD5 hash functions. Several versions exist. SHA-1 creates a
160-bit hashed message and is slightly slower than MD5. SHA-1 has known flaws and is a
legacy algorithm.
• SHA-2 –Next-generation algorithm and should be used whenever possible.
▪ While hashing can be used to detect accidental changes, it cannot be used to guard against
deliberate changes. There is no unique identifying information from the sender in the hashing
procedure.

Hash Message Authentication Code

▪ To add authentication to integrity assurance, a keyed-hash message authentication code (HMAC)

is used.
▪ To add authentication, HMAC uses an additional secret key as input to the hash function.
▪ Only the sender and the receiver know the secret key, and the output of the hash function now
depends on the input data and the secret key.
▪ Only parties who have access to that secret key can compute the digest of an HMAC function.
▪ If the digest that is calculated by the receiving device is equal to the digest that was sent, the
message has not been altered.

Confidentiality

Encryption

These two classes differ in how they use keys:

▪ Symmetric encryption algorithms - Encryption algorithms use the same key to encrypt and
decrypt data. They are based on the premise that each communicating party knows the pre-
shared key.
▪ Asymmetric encryption algorithms - Encryption algorithms use different keys to encrypt and
decrypt data. They are based on the assumption that the two communicating parties have not
previously shared a secret and must establish a secure method to do so. Asymmetric algorithms
are resource intensive and slower to execute.

Symmetric Encryption

▪ Symmetric algorithms use the same pre-shared key to encrypt and decrypt data.
▪ Today, symmetric encryption algorithms are commonly used with VPN traffic. This is because
symmetric algorithms use less CPU than asymmetric encryption algorithms.
▪ When using symmetric encryption algorithms, like any other type of encryption, the longer the
key, the longer it will take for someone to discover the key.
 ▪ Most encryption keys are between 112 and 256 bits. Use a longer key for more secure
communications.

Symmetric Encryption Algorithms

Encryption algorithms are often classified as either:

▪ Block ciphers - Block ciphers transform a fixed-length block of plaintext into a common block of
ciphertext of 64 or 128 bits.
▪ Stream Ciphers - Stream ciphers encrypt plaintext one byte or one bit at a time.
▪ Well-known symmetric encryption algorithms include: Data Encryption Standard (DES), 3DES
(Triple DES), Advanced Encryption Standard, (AES) Software-Optimized Encryption Algorithm
(SEAL), Rivest ciphers (RC)

Diffie-Hellman
▪ Diffie-Hellman (DH) is an asymmetric mathematical algorithm that allows two computers to
generate an identical shared secret without having communicated before.
▪ The new shared key is never actually exchanged between the sender and receiver.
▪ However, because both parties know it, the key can be used by an encryption algorithm to encrypt
traffic between the two systems.
▪ The security of DH is based on the fact that it uses unbelievably large numbers in its calculations.
▪ Unfortunately, asymmetric key systems are extremely slow for any sort of bulk encryption. This is
why it is common to encrypt the bulk of the traffic using a symmetric algorithm.

SUBTOPIC 2

Public Key Cryptography

Using Digital Signatures

• Digital signatures are a mathematical technique used to provide authenticity, integrity, and
nonrepudiation in the form of code signing and digital certificates.
• Digital signatures are commonly used in the following two situations:
o Code signing –Code signing is used to verify the integrity of executable files downloaded
from a vendor website.
o Digital certificates – These are used to authenticate the identity of a system and exchange
confidential data.
• There are three Digital Signature Standard (DSS) algorithms used for generating and verifying
digital signatures:
o Digital Signature Algorithm (DSA) - is the original standard for generating public and
private key pairs, and for generating and verifying digital signatures.
o Rivest-Shamir Adelman Algorithm (RSA) - is an asymmetric algorithm that is commonly
used for generating and verifying digital signatures.
o Elliptic Curve Digital Signature Algorithm (ECDSA) - is a newer variant of DSA and
provides digital signature authentication and non-repudiation with the added benefits
of computational efficiency, small signature sizes, and minimal bandwidth
Digital Signatures for Code Signing

• Digital signatures are commonly used to provide assurance of the authenticity and integrity of
software code.
• Executable files are wrapped in a digitally signed envelope, which allows the end user to verify
the signature before installing the software.
• Digitally signing code provides several assurances about the code:
o The code is authentic and is actually sourced by the publisher.
o The code has not been modified since it left the software publisher.
o The publisher undeniably published the code. This provides nonrepudiation of the act of
publishing.

Digital Signatures for Digital Certificates

• A digital certificate enables users, hosts, and organizations to securely exchange information over
the Internet.
• Specifically, a digital certificate is used to authenticate and verify that users sending a message
are who they claim to be.
• Digital certificates can also be used to provide confidentiality for the receiver with the means to
encrypt a reply.

Authorities and the PKI Trust System

Public Key Management

▪ When establishing an asymmetric connection between two hosts, the hosts will exchange their
public key information.
▪ Trusted third parties on the Internet validate the authenticity of these public keys using digital
certificates. The third-party issues credentials that are difficult to forge.
▪ From that point forward, all individuals who trust the third party simply accept the credentials
that the third-party issues.
▪ The Public Key Infrastructure (PKI) is an example of a trusted third-party system referred to as
certificate authority (CA).
▪ The CA issues digital certificates that authenticate the identity of organizations and users.
▪ These certificates are also used to sign messages to ensure that the messages have not been
tampered with.

The Public Key Infrastructure

• PKI is needed to support large-scale distribution and identification of public encryption keys.
• The PKI framework facilitates a highly scalable trust relationship.
• It consists of the hardware, software, people, policies, and procedures needed to create, manage,
store, distribute, and revoke digital certificates.
• Not all PKI certificates are directly received from a CA. A registration authority (RA) is a
subordinate CA and is certified by a root CA to issue certificates for specific uses.
The PKI Authorities System

• Many vendors provide CA servers as a managed service or as an end-user product.

• Organizations may also implement private PKIs using Microsoft Server or Open SSL.
• CAs issue certificates based on classes which determine how trusted a certificate is.
• The class number is determined by how rigorous the procedure was that verified the identity of
the holder when the certificate was issued.
• The higher the class number, the more trusted the certificate.
• Some CA public keys are preloaded, such as those listed in web browsers.
• An enterprise can also implement PKI for internal use.

The PKI Trust System

• PKIs can form different topologies of trust. The simplest is the single-root PKI topology.

On larger networks, PKI CAs may be linked using two basic architectures:
• Cross-certified CA topologies - This a peer-to-peer model in which individual CAs establish trust
relationships with other CAs by cross-certifying CA certificates.
• Hierarchical CA topologies - The highest-level CA is called the root CA. It can issue certificates to
end users and to a subordinate CA.

Interoperability of Different PKI Vendors

▪ Interoperability between a PKI and its supporting services is a concern because many CA vendors
have proposed and implemented proprietary solutions instead of waiting for standards to
develop.
▪ To address this interoperability concern, the IETF published the Internet X.509 Public Key
Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527).
▪ The X.509 version 3 (X.509v3) standard defines the format of a digital certificate.

Certificate Enrollment, Authentication, and Revocation

▪ All systems that leverage the PKI must have the CA’s public key, called the self-signed certificate.
▪ The CA public key verifies all the certificates issued by the CA and is vital for the proper operation
of the PKI.
▪ The certificate enrollment process begins when CA certificates are retrieved in-band over a
network, and the authentication is done out-of-band (OOB) using the telephone.
▪ The system enrolling with the PKI contacts a CA to request and obtain a digital identity certificate
for itself and to get the CA’s self-signed certificate.
▪ The final stage verifies that the CA certificate was authentic and is performed using an OOB
method such as the Plain Old Telephone System (POTS) to obtain the fingerprint of the valid CA
identity certificate.
▪ A digital certificate can be revoked if key is compromised or if it is no longer needed.

The certificate enrollment process is used by a host system to enroll with a PKI. To do so, CA
certificates are retrieved in-band over a network, and the authentication is done out-of-band (OOB) using
the telephone. The system enrolling with the PKI contacts a CA to request and obtain a digital identity
certificate for itself and to get the CA’s self-signed certificate. The final stage verifies that the CA certificate
was authentic and is performed using an OOB method such as the Plain Old Telephone System (POTS) to
obtain the fingerprint of the valid CA identity certificate

Applications and Impacts of Cryptography

PKI Applications

▪ Some of the many applications of PKIs are:

• SSL/TLS certificate-based peer authentication
• Secure network traffic using IPsec VPNs
• HTTPS Web traffic
• Control access to the network using 802.1x authentication
• Secure email using the S/MIME protocol
• Secure instant messaging
• Approve and authorize applications with Code Signing
• Protect user data with the Encryption File System (EFS)
• Implement two-factor authentication with smart cards
• Securing USB storage devices

Encrypting Network Transactions

▪ Threat actors can use SSL/TLS to introduce regulatory compliance violations, viruses, malware,
data loss, and intrusion attempts in a network.
▪ Other SSL/TLS-related issues may be associated with validating the certificate of a web server.
When this occurs, web browsers will display a security warning. PKI-related issues that are
associated with security warnings include:
• Validity date range - The X.509v3 certificates specify “not before” and “not after” dates.
If the current date is outside the range, the web browser displays a message.
• Signature validation error - If a browser cannot validate the signature on the certificate,
there is no assurance that the public key in the certificate is authentic.

Some of these issues can be avoided due to the fact that the SSL/TLS protocols are extensible and
modular. This is known as a cipher suite. The key components of the cipher suite are the Message
Authentication Code Algorithm (MAC), the encryption algorithm, the key exchange algorithm, and the
authentication algorithm. These can be changed without replacing the entire protocol. This is very helpful
because the different algorithms continue to evolve. As cryptanalysis continues to reveal flaws in these
algorithms, the cipher suite can be updated to patch these flaws. When the protocol versions within the
cipher suite change, the version number of SSL/TLS changes as well.

Encryption and Security Monitoring

▪ Network monitoring becomes more challenging when packets are encrypted.

▪ Because HTTPS introduces end-to-end encrypted HTTP traffic (via TLS/SSL), it is not as easy to
peek into user traffic.
▪ Here is a list of some of the things that a security analyst could do:
 • Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and non-HTTPS SSL
traffic.
• Enhance security through server certificate validation using CRLs and OCSP.
• Implement antimalware protection and URL filtering of HTTPS content.
• Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention
system (IPS) appliances to identify risks normally hidden by SSL.

There are two main ways in which cryptography impacts security investigations. First, attacks can
be directed to specifically target the encryption algorithms themselves. After the algorithm has been
cracked and the attacker has obtained the keys, any encrypted data that has been captured can be
decrypted by the attacker and read, thus exposing private data. The security investigation is also affected
because data can be hidden in plain sight by encrypting it. For example, command and control traffic that
is encrypted with TLS/SSL most likely cannot be seen by a firewall. The command and control traffic
between a command and control server and an infected computer in a secure network cannot be stopped
if it cannot be seen and understood. The attacker would be able to continue using encrypted commands
to infect more computers and possibly create a botnet. This type of traffic can be detected by decrypting
the traffic and comparing it with known attack signatures, or by detecting anomalous TLS/SSL traffic. This
is either very difficult and time consuming, or a hit-or-miss process