CompTIA Network+ N10-008 – Network Security
The CIA Triad The CIA triad Our networks are no longer fundamentally secure. When they developed all these networking standards, security was never at the forefront. Now, we’ve tried to bolt them on and add security as we go to make them more secure. But to begin with, a network is a very insecure place. And to make matters worse, networks are increasingly becoming more connected with other networks. So if my company starts doing business in partnership with your company, we may tie our networks together during that time,…
The CIA triad Our networks are no longer fundamentally secure. When they developed all these networking standards, security was never at the forefront. Now, we’ve tried to bolt them on and add security as we go to make them more secure. But to begin with, a network is a very insecure place. And to make matters worse, networks are increasingly becoming more connected with other networks. So if my company starts doing business in partnership with your company, we may tie our networks together during that time, which would introduce all of your risks and vulnerabilities into my network. And so we have to be aware of this.
And these risks don’t just exist between partners or on the Internet. They also exist inside our own organizations. Your organisation may have numerous subnetworks, and when you tie them together, that’s going to start bringing that risk into the other networks as well. And we have to be careful to minimize or eliminate these risks. And that’s where network security comes into play. If we can understand the various threats that are facing our networks, then we’re going to be able to better defend our networks against the onslaught of cyberattacks that we face on a daily basis. Now, the way we look at security is based on what we call the CIA Triad. That stands for confidentiality, integrity, and availability. Now, if I can provide all three of those, I can secure the data inside the centre of this triangle. Now, that sounds really easy, but it’s really, really hard. And we’re going to talk about those three components of the CIA Triad in this lesson. The first one is confidentiality.
Now, confidentiality is concerned with keeping your data safe and private. We want to use things like encryption and authentication to verify that someone has the need to know and that they should be allowed to see that data. Now, by using encryption, we can ensure that the data can only be read or decoded by the intended recipient—the person who has that secret encryption key. We can use either symmetric encryption or asymmetric encryption. Now, if you’re not familiar with those concepts, we’re going to COVID them for you here. Symmetric encryption is the basis of confidentiality. Both the sender and the receiver are going to use the exact same key.
So we go from plain text to cipher text using one key, and then we use that same key to put it back into plain text and be able to read it. Now, there are several different types of symmetric encryptions out there, but in the case of the network plus exam, there are three that we really want to focus on. We want to focus on Des, Triple, Des, and AES. Now, DEC is the data encryption standard. It is only a 56 bit encryption key to secure this data, and it was developed way back in the mid-1970s.So about 40 years ago, as you can imagine, it wasn’t really that secure, and yet it’s still in use today with things like Simple Network Management Protocol version 3. This is considered weak encryption today, but it’s still better than nothing.
Because Des was so careless, this 56-bit key was simple to crack. As computers got stronger, they decided to take it and encrypt it, decrypt it, and then encrypt it using 356-bit keys to give you a total key strength of 168 bits. So you do this encrypt, decrypt, and encrypt cycle, making the data indigestible or unreadable to somebody without all three of those keys. Finally, we have AES, or the advanced encryption standard. Now, this is the modern, contemporary encryption system that we use on pretty much everything. Now, this is the preferred symmetric encryption standard in use today, and it’s used by WPA as well as BitLocker for data at rest.
This is available with 128 bit, 192 bit, or 256bit encryption keys, making it very safe and very secure. Now, when we look at symmetric encryption, the sender and the receiver are both using the same key to encrypt and decrypt the message, which is great and makes it extremely fast. Symmetric encryption is almost a thousand times faster than the asymmetric encryption that we’re going to use for COVID here in a second. But you do have one problem. We both have to have the same key. Now, if you and I have never met, how can I give you that key? And if I’m doing this on a large scale—let’s say I encrypted a folder on my Google Drive that I wanted to share with all of my students—that’s 30,000 people—I have to give them all the key.
Now, if I decided that I wanted one of them not to have access anymore, I would have to change the key for all 30,000 people and redistribute that. That’s the biggest problem you have with symmetric encryption. Even though it’s fast and secure, you have to figure out a way to get that shared secret key to all the users who need it. Now, how do we solve that? Well, enter asymmetric encryption. Asymmetric encryption is also used to give you confidentiality. It’s going to use different keys for the sender and the receiver. RSA is by far the most popular implementation of this, and it uses what we call “public key infrastructure,” or PKI. PKI is where we encrypt the data between an email sender and an email receiver. Or when you’re going on an e-commerce website like Amazon, you’re using PKI to do that key exchange.
Now, this can give you secure email exchange and secure web browsing, and it solves the problem of having to distribute those keys ahead of time. Now, how does asymmetric encryption work? Well, it works on the concept of having a key pair—a public key that anyone can know and a private key that only I can know. Let’s see how that works. On the next slide. So, when we look at this, the sender and the receiver are both going to use different keys to encrypt and decrypt the message. So, in this case, if I’m the sender and I want to send something to the receiver, I’m going to use the receiver’s public key because everyone in the world can have that key. Now, once I’ve encrypted it using their public key, the only key in the entire world that will be able to open that message is the private key that matches it. And the only person who knows that private key is the receiver. This guarantees the confidentiality of the data. No one but them can read it except for them. In fact, once I encrypt that data, even I can’t read it because I don’t have the receiver’s private key.
Now, how does this work in e-commerce? Well, I said before that we can use asymmetric keys to be able to create an encryption tunnel and pass a symmetric key. And that’s what we do in e-commerce. So in this case, if I wanted to be the client and I wanted to go to Amazon to buy something, how would I do it? Well, first I’m going to request the website by going to https://amazon.com. When I go to the server, the server is going to hand me the public key. That public key is going to be what we call a digital certificate. And when you buy a Verisign certificate for your server, Verisign is going to hold a copy of your public key that any client can get to and verify that it’s trusted. So my client goes to Verisign, which grabs Amazon’s public key, and then I create a random number and encrypt that random number using Amazon’s public key. I sent that back over to the server because now Amazon is the only one who has their private key and can open that message. They then take that message, open it up, and they now have the random number that I chose.
We both now have a symmetric key—that random key that we just created. Now we both can create a tunnel, and the server and the client use that session key that I just created—that random number—to then communicate for the rest of the session, creating a nice, secure encrypted tunnel between me and the server. Now, why do I do it this way? Well, by using the asymmetric key, we could have gone back and forth the entire time with that. The problem with that is that it’s so slow. Symmetric key encryption is about 1000times faster than Asymmetric key encryption. And for that reason, we use an asymmetric key for the handshake and the exchange, and then we switch over to a symmetric key. Then we can get much faster speeds. Next, we have integrity. Now, integrity is all about ensuring that the data you have was not altered during storage or transit. This verifies that the source of the traffic originated from where you thought it came from. So we’re not being subject to man-in-the-middle attacks or some sort of spoofing. Now, integrity violations can happen if there’s a defacement of your corporate web page because that data has been changed. Altering e-commerce transactions, maybe. I said that that product that sells for $100 is now only selling for $10.
So I took off a zero. That would be an integrity breach by someone modifying electronically stored financial records. I decided to add a couple of zeros to my bank account balance. That would be an integrity breach, right? All of these are things that we don’t want to happen within our network. So how do we get integrity? Well, we use hashing. Just like for confidentiality, we use encryption. For integrity, we’re going to use hashing. And hashing is an algorithm that runs a string of data through it to generate a hash or hash digest. This serves as a unique individual fingerprint for a file. If you see here at the bottom of the screen, I have the password written in three different ways. I’ve written it as a password with a capital P, and then as a password with a capital P and a period at the end. Notice that the three hashes are vastly different. Those are MD-5 hashes. Just adding the period or making it a capital letter instead of a lowercase is going to make it change significantly.
And that’s why they’re individual fingerprints. Now, once I’ve run this data through this algorithm, I get this hash. The data and the hash are sent to the receiver. The receiver gets the data, then runs it through the hash on its own side (the hashing algorithm), and compares the hash that it calculated with the hash that I sent. If they match, that means there was integrity in the transmission. If they don’t, it rejects the transmission and asks for it again because it assumes it was bad. Now, there are lots of different hashing algorithms. The first one is MD Five, which is one of the oldest ones. MD5 is a 128-bit hash, works very well, and is still in use today. The biggest problem we had with MD5 is that the key space was only 128 bits; there were only so many combinations, and so those could be reused by other words. So, for example, we have Jason here with his MD5 hash shown on the screen. There may be some other sequence that would give you that same hash. And that’s what we call a collision. We want to minimise collisions, and the best way to do that is to increase the key space. So we came up with Sha One. Sha-1 is the secure hash algorithm, version 1, and it is a 160-bit hash digest. And that also means having collisions. So we moved up to Sha 256.Now, Sha256 is a 256-bit hash digest, which gives us a lot of choices and a lot less overlap and a lot fewer collisions. As you can see, that is a much longer hash digest than an MD5 hash.
And finally, we have the Challenge Response Authentication Mechanism message digest 5, which is a common variant of MD5 that’s used in email systems for authentication. What are you going to run into in the real world? Well, you’re probably going to run into MD Five and Shaw 256. Those are by far the two most common ones. The third component of the triad is availability, and availability is going to measure the accessibility of the data. Can I get to the data when I want to get to the data? That’s what we’re asking here. This is increased by designing redundant networks, and we’re going to talk about high availability and redundant networks in a separate lesson as we dig in deep there. Now, how is availability compromised? There are numerous things you can do to it. You can crash a router or a switch by sending improperly formatted data, like a “ping of death,” and that would turn off the router or the switch, making the network go down and failing your availability. You could flood a network with just so much traffic. Even if they’re legitimate requests, they can’t be processed, and that’s something like a denial of service or distributed denial of service. And that could make your network fail as well. We’re going to dig into these availability attacks.
Network security attacks Now, we’re going to talk about how you attack confidentiality, integrity, and availability. But because this is going to take a while, we’re going to break this up into two videos. First, we want to talk about network security attacks in general. Our goal in the CIA is to prevent attacks and to provide confidentiality, integrity, and availability. An attacker’s goal, on the other hand, is to break into our networks and cause an attack on confidentiality, integrity, or availability. Every attack out there is going to fall into one or more of these buckets. If it’s a confidentiality attack, it’s an attempt to make data viewable by the attacker. If it’s an integrity attack, the attacker is trying to modify or alter the data. If it’s an availability attack, the attacker is attempting to limit the availability, accessibility, usability, or functionality of your network. If they can do one or more of these things, they’re successful in attacking your network. and we want to stop that. So before we can stop it and talk about the security that we can add, we have to understand what types of attacks we’re subject to. First, we have attacks on confidentiality. This includes things like packet captures, where you’re sniffing the network and grabbing that traffic and capturing it. wiretapping, where you punch into a network and are able to capture the data flowing across it.
Dumpster diving is when somebody goes through your trash and tries to find information that may help them seek out the information they’re looking for. A good example of this is if you work in healthcare and you finish printing out a patient’s record, should you throw it away or shred it? Well, obviously, you should shred it, because if you throw it in the garbage, somebody can pull it out of the garbage and get information like their name, their birthday, their Social Security number, their insurance information, their address, and all of that personal information. Our job is to protect that information and keep it safe from prying eyes. Now, some other things we can do are ping sweeps and port scans. This is when somebody, as an attacker, starts going and touching your open ports on your network to find out what’s open and what’s closed and seeing what information they can find out. Wireless interception. If you’re using WiFi, this makes packet capture so much easier because I don’t even have to bother with wiretapping. I can just start collecting information from the radio frequency spectrum. And when you have wired networks with copper, a determined attacker can actually collect your EMI, or electrical-magnetic interference, off the cable and put that back together as a series of ones and zeros.
A “man in the middle” attack is when your attacker puts himself between you and the destination and listens in on that conversation. By doing so, confidentiality is breached. And then we have social engineering. This is where they attempt to bypass all technical issues and obtain information directly from your employees and people. And that is still considered a breach of confidentiality breach. If I call up your service desk and I’m able to get information out of them, I don’t even need my hands on the computer. I can just socially engineer them to get the information I need. And finally, malware and spyware If your computer has been subject to a malware or spyware attack, it can be collecting information, logging your keystrokes, stealing your passwords, and more. All of these things are attacks on confidentiality. Next, we have attacks on integrity. And again, we have that man in the middle of the attack, and you could see it came up twice here. So, in a few minutes, we’ll delve a little deeper into that one, and we’ll also play with data.
Data diddling is an attack on integrity because it changes the data before it’s stored, and that can be while it’s going over the network or while it’s being processed by your computer. There is also trust relationship exploitation. And this may be a little strange for you, but essentially, if we have two servers that trust each other and authenticate each other, and I can break into one server, well, it makes sense that now I have access to both because the other server is trusting it. Now, a salami attack is one that puts together many small attacks to create one larger attack. And so if I can do a little bit here and a little bit there, eventually that’s a large change in integrity. Password attacks are where you try to break someone’s password. You might do it by using a Trojan horse or a piece of malware. You may do it through packet capture or key logging, or you can brute-force guess it, or you can do a dictionary attack. It doesn’t really matter which way you do it. But if you’re able to steal their password in some way, you now have full rein to see the files that they have access to and to change those files, which makes it a huge attack on integrity.
Session Hijacking When you make a connection to a web server, you create a unique session ID at random. If I can guess that session ID, I can use that already authenticated computer to hijack your session and eventually create botnets. This is a very specialised type of malware where your computer becomes a zombie and starts working on behalf of the attacker. Again, if you have malware on your machine, you can’t trust that machine. The integrity has been compromised. So let’s look specifically at the “man in the middle” attack. This is where we have data flowing through an attacker’s machine, where it can be intercepted and manipulated before it goes to its final destination. So in this example, I have a client, who is client number 12345, who wants to make a transaction with their bank. They’ve decided that they want to transfer $50 to their account. So they send out the message saying “transfer $50 to account 12345,” and they think it’s going directly to the banking server.
But they had no idea there was a man in the middle. So instead the attacker, whose account number is 67890, changes that and says “transfer $5,000 to 67890” and sends that on to the banking server using the authentication that the client has already created. So at this point, the banking server is none the wiser. And what do they do? They transfer the money over to the attacker, and the attacker now has an extra $5,000. Is this a confidentiality breach or an integrity breach? Well, it could be both. By changing the data, there’s an integrity breach, changing the account number from 50 to 5000. But most of these things will also tell you what your bank balance is, and that becomes a breach of confidentiality because now you’re getting detailed information about that user’s account. This is why we consider this a confidentiality and integrity breach because the attacker can change it, see it, and see everything that’s going on during this transaction. The next one we have is session hijacking.
Now, session hijacking is where the attacker tries to guess the session ID for a web session. And if they do that, they can then take over the client’s already-authorized session. So in the top one here, you see the client talking to the server, and it has a random session ID. The attacker is able to sniff that traffic or guess that traffic, and they can then take over that session and talk directly to the server, making changes to the already authorised session. Next, we have botnets. This is when you have a software robot that lies on a compromised computer. And this collection of computers, each of which is called a “zombie,” can be controlled by a remote server called a command and control server. And they’ll perform different types of actions on behalf of the criminals. So maybe I wanted to do a distributed denial of service, which we’re going to talk about in availability, and shut down that targeted server at the bottom. Well, I can’t do that from just my computer. But if I have 100,000 victim computers that are zombies and I tell them all to go focus on the wallstreetjournal.com website and crash that server, right? That’s the whole idea with a botnet: to steal the processing and network resources of all of these zombies just a little bit. But all of those little things make a big impact.
Network Security Attacks, Part Two In the last video, we talked about attacks on confidentiality and integrity. In this video, we’re going to focus on availability. So when we have an attack on availability, we’re trying to consume resources. Attacks can vary widely. But if we’re consuming server resources, whether they’re processing disc space or network connectivity, or even physically damaging the system, this is an attack on availability.
These include things like denial of service, distributed denial of service, TCP Sin floods, buffer overflow ICMP attacks, Smurf UDP attacks, or fragile pings of death, electrical disturbances, and physical environmental attacks. Now, we’re going to talk about a couple of these in this lesson. Denial of Service A denial of service occurs when one machine continually floods the victim server with requests for services. And the victim system simply can’t keep up. It runs out of memory and crashes. Notice here I’m sending it ten or 20or 30 different packets of information at once. It can’t handle all of that because it’s a weak server, and it crashes. A denial of service is now very difficult to implement in most modern computing because one computer cannot send enough traffic to overwhelm a single server. But that’s why we have something that goes a little bit further, which is called a distributed denial of service. And in a distributed denial of service, we take multiple machines and focus them on one victim server. And so if I have 100, 1000, or 100,000 computers all asking for access at the same time to the same server, it can consume all of its bandwidth and processing resources and cause it to crash. Either way, the concept is the same.
The following one is a type of denial of service known as a TCP Sin Flood. Now in this case, the denial of service occurs when an attacker initiates multiple TCP sessions. So if you remember that whole “three-way handshake” thing we talked about, the Sin Synac AC, What happens here is the attacker puts out the packet and says, “Hey, I want to connect to you.” And the server says, “Synac,” “I want to talk to you.” and you never respond. And so it’s kind of like when you have a three-year-old and they go, “Hey, Mommy.” Hey Mommy. Hey Mommy. Hey Mommy. And you just get annoyed, and you can’t do anything. Well, that’s what’s happening here. Another variation is that when you send those Sin packets, you spoof your IP address. And so when the server goes to respond to you, they’re responding to somebody who wasn’t expecting it, and they never answer. And so you can see here on the screen, I have four different spoof IPS being sent to the server. And so the server sends it back to those IPS that never respond. Next we have ICMP floods, also known as Smurf attacks.
This is when an attacker sends aping to a subnet broadcast address. And then all the devices in that subnet are going to respond back, using up the bandwidth and processing power of that server. So in the example here, my attacker is going to spoof their source address and pretend that they’re the server. And so they send out the packet, saying, “Hey, I’m the server at ten, dot one, dot one, dot two.” And they send that to the broadcast address, which is 192, dot 168, dot 1, and dot 255. Now that has 254 clients on it that are all going to respond back to the server at once. And you can keep escalating this attack by sending it to multiple subnets and making multiple broadcasts. and that will just start overflowing that server pretty darn quickly. Because we’re dealing with ICMP traffic. This is going to be traffic that looks like a ping. A lot of networks, to overcome this, don’t respond to ping traffic anymore specifically for this reason. It just gets dropped at the firewall. This is an older attack, but if you find a misconfigured network, it may still work. Next, we have an electrical disturbance. And this is launched by interrupting or interfering with the electrical service provided to the system, whether that’s a switch, a router, or a server.
One of the ways we try to overcome this is by using uninterrupted power supplies, backup generators, line conditioners, and other things. But if you have a power spike, an electrical surge, a power fault, a blackout, a power SAG, or a brownout, all of these electrical disturbances can cause outages to your system. Now notice that none of these are really focused on an attacker doing it. These types of things can all happen naturally. But do you see the transformer sitting there on the floor? What if a car decides to run into that transformer? It’s going to take out power in our neighborhood. And if that’s where our server farm is, we can lose power. And so this attack can happen as part of an attacker’s motive. But most often, electrical disturbances are going to happen naturally because of a power outage, a bad storm, or something of that nature. Next, we have the physical environment. Computing equipment can be damaged by influencing the physical environment it sits in. If you have a server room, we work really hard to make sure it has the right temperature and humidity. If the temperature is too high, the servers can overheat. If the temperature is too cold, they won’t operate efficiently. If we have too much humidity, that can create moisture in the air, which can be bad for our computers because computers and water don’t mix right. Temperature is when the attacker is going to disturb your HVAC system, which is your heating, ventilation, and air conditioning system. And they can do this to overheat your systems again.
Most of our air conditioning units are outside our buildings, and there’s some sort of coolant system out there. And if I can attack that, I can overheat your systems. Second, we have humidity. If I can create a high level of moisture or humidity, that can short out your components as well. And third, gas What if I started inputting aerosols into your server room? Well, that could ignite based on the electrical things and the heat in that room. And that can cause a fire, which then destroys your physical environment. All of these threats are generally mitigated by using physical restrictions, access credentials, and visual monitoring. I put a fence around my building to keep people away from it. I installed additional cameras to monitor my air conditioning units, humidity control systems, gas lines, and other similar equipment. By protecting your physical environment, you can protect the machines that are hosted.