Network & Information Security

Sunit Mahajan

What will be covered

Basics of Networks
Introduction to Network Security
Security Threats Risks & Attacks
Securing Networks & Data

OSI Model
All
People
Seem
To
Need
Data
Processing

Application Layer (7)

Presentation Layer (6)
Session (5)
Transport (4)
Network (3)
Data Link (2)

Physical (1)

Complicated Way

OSI Model
Porgi
Dili
Nahi
Tar
Saral
Palaun
Aana

Physical (1)

Data Link (2)

Network (3)

Transport (4)
Session (5)
Presentation Layer (6)
Application Layer (7)

Simple Way

OSI Model
OSI Layer

Protocol Data Unit (PDU)

Layer Description

Application Layer (7)

Data

Message and packet creation begins .End-user

protocols such as FTP, SMTP, Telnet, and HTTP

Presentation Layer (6)

Data

Translates the data format from sender to receiver

Data

Governs establishment, termination, and sync of

session within the OS over the network (ex: when you
log off and on)

Transport (4)

Segment

Ensures error-free transmission between hosts:

manages transmission of messages from layers 1
through 3

Network (3)

Packet

Dedicated to routing and switching information to

different networks. LANs or internetworks

Data Link (2)

Frame

Establishes, maintains, and decides how the transfer is

accomplished over the physical layer

Physical (1)

Bits

Cables, jacks, and hubs

Session (5)

TCP 3-WAY Handshake

The TCP 3-way handshake is how TCP sets up a TCP/IP connection over an IP-based network. As the
name implies, to establish a TCP connection, there are three actions to establish the connection:
1. The client who would like to establish a connection with the remote server sends a SYN or
synchronization packet.

2. The server responds with a SYN-ACK or synchronization acknowledgement packet.

3. The client receives the server's acknowledgement and responds with it's own ACK or
acknowledgement packet. Once received by the server, the connection is established.

Introduction to Security
Network is medium on which information travels.

Security needs to be maintained because information is being

passed between computers and is vulnerable to attack.
Network security is important to protect assets, critical data from
unauthorized access, tamper and should always be available

Consequences of Security breach?

Financial Loses
Reputational Damage
Data Loss
Customer Dissatisfaction
Employee Dissatisfaction

Why do we need security?

Protect vital information while still allowing access to those who
need it
Trade secrets, medical records, Bank records
Provide authentication and access control for resources
Ex: Login
Guarantee availability of resources
Ex: 5 9s (99.999% reliability)

What are we even talking about!!!

Confidentiality
Integrity
Availability

CIA TRIAD

How do we achieve
Network security controls cannot completely eliminate risks but
can only minimize risk as much as possible.
People: Awareness
Process: How to detect breaches, asset audits
Tools: Various security software's

The more people are aware about security, more the

stringent the process , more technology is utilized properly
less the risk you carry of being under attack

People
Process

Tools

Security

Security Risk
Malware
Virus
Rouge Security Software
Trojan Horse
Worm
Phishing
Spam
Botnets
Open Firewall ports
Missing Security patches

Privilege escalation
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an
operating system or software application to gain elevated access to resources that are normally
protected from an application or user.

Types of Attacks
Passive Attack
A passive attack monitors unencrypted traffic and looks for clear-text passwords and sensitive information that can be used in other
types of attacks. Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting weakly encrypted traffic, and
capturing authentication information such as passwords. Passive interception of network operations enables adversaries to see upcoming
actions. Passive attacks result in the disclosure of information or data files to an attacker without the consent or knowledge of the user.

Active Attack

In an active attack, the attacker tries to bypass or break into secured systems. This can be done through stealth, viruses, worms, or
Trojan horses. Active attacks include attempts to circumvent or break protection features, to introduce malicious code, and to steal or modify
information. These attacks are mounted against a network backbone, exploit information in transit, electronically penetrate an enclave, or
attack an authorized remote user during an attempt to connect to an enclave. Active attacks result in the disclosure or dissemination of data
files, DoS, or modification of data.

Distributed Attack

A distributed attack requires that the adversary introduce code, such as a Trojan horse or back-door program, to a trusted
component or software that will later be distributed to many other companies and users Distribution attacks focus on the malicious
modification of hardware or software at the factory or during distribution. These attacks introduce malicious code such as a back door to a
product to gain unauthorized access to information or to a system function at a later date.

Insider Attack

An insider attack involves someone from the inside, such as a disgruntled employee, attacking the network Insider attacks can be
malicious or no malicious. Malicious insiders intentionally eavesdrop, steal, or damage information; use information in a fraudulent manner; or
deny access to other authorized users. No malicious attacks typically result from carelessness, lack of knowledge, or intentional circumvention
of security for such reasons as performing a task

Types of Attacks

Close-in Attack
A close-in attack involves someone attempting to get physically close to network components, data, and systems
in order to learn more about a network Close-in attacks consist of regular individuals attaining close physical proximity to
networks, systems, or facilities for the purpose of modifying, gathering, or denying access to information. Close physical
proximity is achieved through surreptitious entry into the network, open access, or both.

Social engineering
The attacker compromises the network or system through social interaction with a person, through an e-mail
message or phone. Various tricks can be used by the individual to revealing information about the security of company. The
information that the victim reveals to the hacker would most likely be used in a subsequent attack to gain unauthorized
access to a system or network.

Phishing Attack
In phishing attack the hacker creates a fake web site that looks exactly like a popular site such as the SBI bank or
paypal. The phishing part of the attack is that the hacker then sends an e-mail message trying to trick the user into clicking
a link that leads to the fake site. When the user attempts to log on with their account information, the hacker records the
username and password and then tries that information on the real site.

Hijack attack
Hijack attack In a hijack attack, a hacker takes over a session between you and another individual and
disconnects the other individual from the communication. You still believe that you are talking to the original party and
may send private information to the hacker by accident.

Types of Attacks

Spoof attack
Spoof attack In a spoof attack, the hacker modifies the source address of the packets he or she is
sending so that they appear to be coming from someone else. This may be an attempt to bypass your firewall
rules.

Buffer overflow
Buffer overflow A buffer overflow attack is when the attacker sends more data to an application than
is expected. A buffer overflow attack usually results in the attacker gaining administrative access to the system
in a command prompt or shell.

Exploit attack
Exploit attack In this type of attack, the attacker knows of a security problem within an operating
system or a piece of software and leverages that knowledge by exploiting the vulnerability.

Password attack
Password attack An attacker tries to crack the passwords stored in a network account database or a
password-protected file. There are three major types of password attacks: a dictionary attack, a brute-force
attack, and a hybrid attack. A dictionary attack uses a word list file, which is a list of potential passwords. A
brute-force attack is when the attacker tries every possible combination of characters.

Types of Attacks
Denial-of-Service Attack

the denial-of-service attack prevents normal use of your computer or network by valid users.
After gaining access to your network, the attacker can do any of the following:
Randomize the attention of your internal Information Systems staff so that they do not see the intrusion immediately,
which allows the attacker to make more attacks during the diversion.
Send invalid data to applications or network services, which causes abnormal termination or behaviour of the
applications or services.
Flood a computer or the entire network with traffic until a shutdown occurs because of the overload.
Block traffic, which results in a loss of access to network resources by authorized users.

Man-in-the-Middle Attack

As the name indicates, a man-in-the-middle attack occurs when someone between you and the person with whom you
are communicating is actively monitoring, capturing, and controlling your communication transparently. For example,
the attacker can re-route a data exchange. When computers are communicating at low levels of the network layer, the
computers might not be able to determine with whom they are exchanging data.
Man-in-the-middle attacks are like someone assuming your identity in order to read your message. The person on the
other end might believe it is you because the attacker might be actively replying as you to keep the exchange going and
gain more information. This attack is capable of the same damage as an application-layer attack, described later in this
section.

How do we secure network

Firewalls
Intrusion Detection Systems/ Intrusion Prevention Systems
Routers
Switches
Encryption
Vulnerability Management
Antivirus Solution
VPN
DDoS protection
Privileged Identity Management
Network Anomaly Detection
SIEM

Firewalls
Firewall is one of the most essential technologies that are used at perimeter of network to protect
internal networks from external threats.
Only allow access that is legitimately required for authorized business purpose, protocols,
source/destination and ports
Deny everything that is not explicitly allowed.

Types of Firewalls
1 . Network Firewalls( NGFW) - firewalls enhanced with intrusion prevention and application intelligence

2. UTM- UTMs deliver enterprise-class network security with state-ful inspection firewall, VPN and IPS,
offering the Human Layer 8 identity-based controls and Layer 7 application visibility and controls

IDS/IPS
Intrusion detection systems (IDS) is network security appliances that monitor
network and/or system activities for malicious activity.

Intrusion detection systems (IPS) is network security appliances identifies malicious

activity, log information about this activity, attempt to block/stop it, and report it.

Why IDS/IPS
Firewalls allow traffic only to legitimate hosts and services
Traffic to the legitimate hosts/services can have attacks
HTTP attacks, SQL Injection attacks
Solution?
IDS/IPS
Monitor data and behavior
Report when attacks identified

Types of IDS/IPS

Signature-based IDS
Anomaly-based IDS
Network-based IDS
Host-based IDS

Signature-based IDS
Characteristics
Uses known pattern matching
to signify attack
Advantages?
Widely available
Fairly fast
Easy to implement
Easy to update
Disadvantages?
Cannot detect attacks for which it has no signature

Anomaly-based IDS
Characteristics
Uses statistical model or machine learning engine to characterize normal usage behaviors

Advantages?
Can detect attempts to exploit new and unforeseen vulnerabilities
Can recognize authorized usage that falls outside the normal pattern

Disadvantages?
Generally slower, more resource intensive compared to signature-based IDS
Greater complexity, difficult to configure

Higher percentages of false alerts

Network-based IDS/IPS
Characteristics
NIDS examine raw packets in the network
passively and triggers alerts

Advantages?
Easy deployment
Difficult to evade if done at low level of
network operation

Disadvantages?
Fail Open
Different hosts process packets differently
Need to have the complete network topology
and complete host behavior

Host-based IDS/IPS
Characteristics

Runs on single host

Can analyze audit-trails, logs, integrity of files and directories, etc.

Advantages
More accurate than NIDS
Less volume of traffic so less overhead

Disadvantages
Deployment is expensive
What happens when host get compromised?

Encryption
Encryption is a way to enhance the security of a
message or file by scrambling the contents so
that it can be read only by someone who has the
right encryption key to unscramble it.
Ex: if you purchase something from a
website, the information for the transaction (such as
your address, phone number, and credit card
number) is usually encrypted to help keep it safe.

Use encryption when you want a strong level of

protection for your information.

Encryption Usage

SSL certificate
Digital Signature
Drive Encryption
File Encryption
VPN
Secure Email

Denial of Service
Denial of Service (DoS) attack is an attack against any system component that
attempts to force that system component to limit, or even halt, normal services
Temporarily or indefinitely interrupt or suspend services of a host connected to the
Internet.
This is an attempt to make a machine or network resource unavailable to its
intended users.

DDoS Distributed Denial of Service

Distributed Denial of Service (DDoS) attack is a DoS attack
utilizing multiple distributed attack sources

Facts

Impact of DDoS

CloudFlare confirmed that the attack ended up being

around 400Gbps, making it the largest single DDoS
attack in history

Types Of DDoS Attacks

There are basically three types of DDOS attacks:

Applicationlayer DDOS
attack

Protocol
DOS attack

Volumebased DDOS
attack

Types of Attacks
Volume-based DDOS attack or Bandwidth attacks: flood the
network with high volume of traffic.
Protocol DOS attack or Connectivity attacks: flood a computer
with high volume of connection requests.
Application-layer DDOS attack or Application Attacks: Send
specially crafted packets to application.

Volumetric DDoS Attack

Volumetric DDoS attacks are designed to saturate and overwhelm network resource by
brute force.

State Exhausting Attack - Resource Starvation

State-Exhausting DDoS attacks target stateful security devices.
Leads to exhaustion of state which render them useless.

DDoS Attack Types: Application Layer

Application-Layer DDoS attacks target specific applications (HTTP, SSL, DNS, SMTP, SIP, etc.).

Successful Take Down by DDoS

The Botnet as a DDoS Tool

A botnet is a collection of Internet-connected programs communicating with other
similar programs in order to perform tasks. it could be used to send spam email or
participate in distributed denial-of-service attacks. The word botnet is a combination of
the words robot and network.
Legal botnets :The term botnet is widely used when several IRC bots have been linked
and may possibly set channel modes on other bots and users while keeping IRC channels
free from unwanted users. This is where the term is originally from, since the first illegal
botnets were similar to legal botnets.

Illegal botnets :Botnets sometimes compromise computers whose security defenses have
been breached and control conceded to a third party. Each such compromised device,
known as a "bot", is created when a computer is penetrated by software from
a malware (malicious software) distribution.

DIY vs. Cloud-Based DDoS Defense

Why Firewalls/IPS fail to protect against DDoS

Vulnerable to DDoS attacks
- Because these devices are in-line, stateful devices,- First to be affected by large flood or connection attacks.
Failure to ensure Availability

Built to protect against known (versus emerging) threats.

- Designed to look for threats within single sessions, not across sessions
Protection limited to certain attacks
they must allow common attack traffic such as TCP port 80 (HTTP) or UDP port 53 (DNS). Do not handle attacks containing
valid requests.
Deployed in wrong locationVery close to servers.- Too close to protect upstream router.

Incompatible with cloud DDoS protection systems

Fail to interoperate with cloud DDoS prevention solutions.- Increase time for response to DDoS

Lack of DDoS Expertise Require skilled security experts

Demand knowledge of attack types before attacks.

DDoS Protection Vendor

Live Attacks
http://www.digitalattackmap.com/
http://map.norsecorp.com/#/

If the network is secure but application are not then you

are not secure.

Vulnerability
Vulnerability management is practice of identifying, classifying, remediating, and
mitigating vulnerabilities especially in software and firmware.
Vulnerability management is integral to computer security and network security.

Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a

computer system in search of known vulnerabilities such as open ports, insecure
software configuration, and susceptibility to malware. Unknown vulnerabilities, such
as a zero-day attack
Correcting vulnerabilities may variously involve the installation of a patch, a change
in network security policy, reconfiguration of software (such as a firewall), or
educating users about social engineering.

Vulnerability Scanner

Nessus
Qualys
OpenVas
GFI Languard
Retina

How do we protect ourselves

Security Awareness
Antivirus Solution
Privileged Identity Management
Network Anomaly Detection
SIEM

PIM Privileged Identity Management

Privileged Identity Management (PIM ) focused on powerful accounts within the IT
infrastructure of an enterprise.
It is frequently used as an Information Security and governance tool to help
companies in meeting compliance regulations and to prevent internal data
breaches through the use of privileged accounts.
The management of privileged identities can be automated to follow predetermined or customized policies and requirements for an organization or industry.

PIM Vendors

Cyber-Ark.
Hitachi ID Systems
Lieberman Software.
Dell / Quest / e-DMZ.

Network Identification Technologies

To be properly prepared to defend the network infrastructure from DDoS
attacks, it is extremely important to know as soon as possible that there is
anomalous behavior, malicious or otherwise, occurring in the network.

To help aid in the detection, identification, and subsequent classification of

anomalous network events. These tools and technologies will help focus on
Indicators of Compromise (IOC).

Cisco IOS NetFlow is a form of network telemetry that Cisco routers and switches can collect locally or push.
Data provided through NetFlow is similar to information in a phone bill. The user can view who is talking
(source and destination IP address) and how long the conversations last (amount of traffic in terms of bytes
and packets).

NetFlow Key Parameters

The seven key parameters that are inspected in each packet to
determine whether a new flow should be created. If any of the seven
fields differs from flows that have previously been created, a new flow
is created and added to the NetFlow cache.

The seven fields are as follows:

Source IP address
Destination IP address
Source port
Destination port
Layer 3 protocol
TOS byte
Input interface

Lancope Stealtwatch

SIEM
Security information and event management (SIEM) is an approach to security
management that seeks to provide a holistic view of an organization's information
technology (IT) security
A SEM system centralizes the storage and interpretation of logs and allows near realtime analysis which enables security personnel to take defensive actions more
quickly.
A SIM system collects data into a central repository for trend analysis and provides
automated reporting for compliance and centralized reporting.
The two functions together SIEM systems provide quicker identification, analysis and
recovery of security events.
They also allow compliance managers to confirm they are fulfilling an organization's
legal compliance requirements.

SIEM Vendors

ArcSight
Splunk
IBM Q-radar
RSA Envision
McAfee SIEM

Sample Dashboard

Questions???