Please enable JavaScript.
Coggle requires JavaScript to display documents.
Network Security Concepts, image, image, image, image, image, image, image…
Network Security Concepts
3.2. Threat Actors
3.2.1 The Hacker
3.2.2 Evolution of Hackers
Hacking began in the 1960s with phone phreaking, where audio frequencies were used to manipulate phone systems, as telephone switches relied on tones to signal different functions.
3.2.3 Cyber Criminals
Cybercriminals are estimated to steal billions from consumers and businesses, operating in an underground economy where they buy, sell, and trade attack toolkits, zero-day exploit code, botnet services, banking Trojans, keyloggers, and more.
3.2.4 Hacktivists
Two examples of hacktivist groups are Anonymous and the Syrian Electronic Army.
3.2.5 State-Sponsored Hackers
State-sponsored hackers create advanced, customized attack code, often using previously undiscovered software vulnerabilities called zero-day vulnerabilities
3.3. Threat Actor Tools
3.3.1 Video - Threat Actor Tools
3.3.2 Introduction to Attack Tools
To exploit a vulnerability, a threat actor must have a technique or tool
3.3.3 Evolution of Security Tools
Ethical hacking involves many different types of tools used to test the network and keep its data secure
3.3.4 Attack Types
Threat actors can use the previously mentioned attack tools, or a combination of tools, to create attacks. The table displays common types of attacks.
3.1. Current State of Cybersecurity in progress
3.1.1 Current State of Affairs
A secure network protects users and business interests. Organizations need individuals who can recognize the growing threats, and all users should understand the security terms.
3.1.2 Vectors of Network Attacks
An attack vector is a path through which a threat actor can access a server, host, or network, originating from either inside or outside the corporate network.
3.1.3 Data Loss
Data loss or data exfiltration is when data is intentionally or unintentionally lost, stolen, or leaked to the outside world.
3.0 Introduction
This module may involve using a virtual machine to demonstrate cyberattacks, with experimentation depending on the instructor and institution.
3.6. IP Vulnerabilities and Threats
Threat actors often use amplification and reflection techniques to create DoS attacks. !
Amplification - The threat actor forwards ICMP echo request messages to many hosts. These messages contain the source IP address of the victim.
Reflection - These hosts all reply to the spoofed IP address of the victim to overwhelm it.
Spoofing attacks can be non-blind or blind:Non-blind spoofing - The threat actor can see the traffic that is being sent between the host and the target. The threat actor uses non-blind spoofing to inspect the reply packet from the target victim. Non-blind spoofing determines the state of a firewall and sequence-number prediction. It can also hijack an authorized session.Blind spoofing - The threat actor cannot see the traffic that is being sent between the host and the target. Blind spoofing is used in DoS attacks. !
3.7. TCP and UDP Vulnerabilities
TCP segment information appears immediately after the IP header. The fields of the TCP segment and the flags for the Control Bits field are displayed in the figure.
Reliable delivery - TCP incorporates acknowledgments to guarantee delivery, instead of relying on upper-layer protocols to detect and resolve errors. If a timely acknowledgment is not received, the sender retransmits the data. Requiring acknowledgments of received data can cause substantial delays. Examples of application layer protocols that make use of TCP reliability include HTTP, SSL/TLS, FTP, DNS zone transfers, and others.
Flow control - TCP implements flow control to address this issue. Rather than acknowledge one segment at a time, multiple segments can be acknowledged with a single acknowledgment segment.
Stateful communication - TCP stateful communication between two parties occurs during the TCP three-way handshake. Before data can be transferred using TCP, a three-way handshake opens the TCP connection, as shown in the figure. If both sides agree to the TCP connection, data can be sent and received by both parties using TCP.
The TCP SYN Flood attack exploits the TCP three-way handshake. The figure shows a threat actor continually sending TCP SYN session request packets with a randomly spoofed source IP address to a target. The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet. Those responses never arrive.
A TCP reset attack can be used to terminate TCP communications between two hosts. TCP can terminate a connection in a civilized (i.e., normal) manner and uncivilized (i.e., abrupt) manner.
The UDP segment structure, shown in the figure, is much smaller than TCP’s segment structure.
UDP is not protected by any encryption. You can add encryption to UDP, but it is not available by default. The lack of encryption means that anyone can see the traffic, change it, and send it on to its destination.
3.8. IP Services
Hosts broadcast an ARP Request to other hosts on the segment to determine the MAC address of a host with a particular IP address. All hosts on the subnet receive and process the ARP Request. The host with the matching IP address in the ARP Request sends an ARP Reply.
ARP Cache Poisoning
ARp Request
The figure shows how ARP cache poisoning works. PC-A requires the MAC address of its default gateway (R1); therefore, it sends an ARP Request for the MAC address of 192.168.10.1.
ARP Reple
In this figure, R1 updates its ARP cache with the IP and MAC addresses of PC-A. R1 sends an ARP Reply to PC-A, which then updates its ARP cache with the IP and MAC addresses of R1.
Spoofed Gratuitous ARP Replies
In the figure, the threat actor sends two spoofed gratuitous ARP Replies using its own MAC address for the indicated destination IP addresses. PC-A updates its ARP cache with its default gateway which is now pointing to the threat actor’s host MAC address. R1 also updates its ARP cache with the IP address of PC-A pointing to the threat actor’s MAC address.
DHCP servers dynamically provide IP configuration information to clients. The figure shows the typical sequence of a DHCP message exchange between client and server.
DHCP Attacks
Client Broadcasts DHCP Discovery Messages. In the figure, a legitimate client connects to the network and requires IP configuration parameters. The client broadcasts a DHCP Discover request looking for a response from a DHCP server. Both servers receive the message.
DHCP Servers Respond with Offers. The figure shows how the legitimate and rogue DHCP servers each respond with valid IP configuration parameters. The client replies to the first offer received.
Client Accepts Rogue DHCP Request. In this scenario, the client received the rogue offer first. It broadcasts a DHCP request accepting the parameters from the rogue server, as shown in the figure. The legitimate and rogue server each receive the request.
Rogue DHCP Acknowledges the Request. only the rogue server unicasts a reply to the client to acknowledge its request, as shown in the figure. The legitimate server stops communicating with the client because the request has already been acknowledged.
3.9. Network Security Best Practices
Confidentiality, Integrity, and Availability
Protecting Against Network Attacks
Firewall Operation
IPS Operation
Content Security Appliances. Content security appliances include fine-grained control over email and web browsing for an organization’s users.
3.10. Cryptography
Hash Functions
MD5 with 128-bit Digest
SHA Hashing Algorithm
Origin Authentication
HMAC Hashing Algorithm
Creating the HMAC Value
Verifying the HMAC Value
Cisco Router HMAC Example
Asymmetric Encryption Example
Diffie-Hellman (DH) is an asymmetric mathematical algorithm where two computers generate an identical shared secret key without having communicated before.
Symmetric Encryption Example
3.4. Malware
3.4.1 Overview of Malware
3.4.2 Viruses and Trojan Horses
3.4.3 Other Types of Malware
3.5. Common Network Attacks
3.5.2 Video - Reconnaissance Attacks
3.5.3 Reconnaissance Attacks
Performing Ping Sweeps
Performing Port Scans
3.5.4 Video - Access and Social Engineering Attacks
3.5.5 Access Attacks
Trust Exploitation Example
Port Redirection Example
Man-in-the-Middle Attack Example
Buffer Overflow Attack
3.5.6 Social Engineering Attacks
3.5.8 Video - Denial of Service Attacks
3.5.9 DoS and DDoS Attacks
