How does a firewall provide security to a network?. Hackers dubbed "God Users" have used data scraping techniques to abuse the site''''s and other sites'''' APIs to dump the initial informatio
Define threats
A security threat is a risk that jeopardizes the smooth operation of a computer This could be adware or a harmful Trojan As the world becomes more digital, concerns about computer security are growing
2 Identify threats agents to organizations[ CITATION Mat23 \l 1033 ]
- Nation States: Companies that engage in specific industries, such as telecom, oil and gas, mining, power production, and national infrastructure, may become targets for foreign countries, either to disrupt operations today or to give that nation a hold in the future during difficult times.
- Non-target specific (Ransomware, Worms, Trojans, Logic Bombs, Backdoors and Viruses perpetrated by vandals and the general public): o The number of random attacks that take place every day is so large that any organization can become a victim o The most famous example of a non-targeted attack is the WannaCry ransomware incident, which affected over 200,000 computers in 150 countries In the UK, the NHS has been shut down for several days And of course there's his teenager bored in an attic somewhere, scouring the internet to find weak links
- Employees and Contractors: o Machines and software programs are well protected against malware, as long as it's not a zero-day virus Humans, either maliciously or accidentally, are often the weakest link in security systems o Common mistakes like sending an email to the wrong person happen, but you can usually spot the mistake quickly and correct the situation Simple measures like password- protecting files can also help reduce the impact of such errors o In other cases, companies need professional assistance and may hire contractors or external agencies who need access to systems and data In many cases, these third parties may not have the same level of security as the devices that have access to your controller's data, which can cause problems
- Terrorists and Hacktivists (political parties, media, enthusiasts, activists, vandals, general public, extremists, religious followers): Similar to the threat posed by nation states, the level of threat posed by these agents depends on your activities However, the threat of indiscriminate attacks may continue as some terrorists seek to target specific industries and countries
- Organized crime (local, national, transnational, specialist): Criminals target personal data for a variety of reasons Credit card fraud, identity theft, bank account fraud, and more These crimes are now being carried out on an industrial scale Methods vary from phishing attacks to "watering hole" sites, but the end result is the same You and your data are extracted and used for malicious purposes
- Natural disasters (fire, flood, earthquake, volcano): While not cyberattacks, these events can have the same net impact on your ability to do business A data disaster has occurred Earthquake risk is very low in the UK, but every year we see images of cities underwater
- Corporates (competitors, partners): The threat of competitors stealing your IP is obvious, but we are increasingly working with a number of partner organizations to fill skill and resource gaps, or simply provide services Depending on their motives, these partner companies may unknowingly or maliciously steal or disclose your intellectual property or personal information held by you
3 List type of threats that organizations will face[ CITATION Lin23 \l 1033 ]
- Insider threats: o Insider threats occur when people close to your organization who have granted you access to your network intentionally or unknowingly misuse that access to compromise your organization's critical data and systems. o Careless employees who do not adhere to the organization's business rules and policies create an insider threat For example, a customer's details could be accidentally emailed to an external party, a phishing link in an email could be clicked on, or credentials could be shared with others Contractors, business partners, and third parties are sources of other insider threats. o Some Insiders deliberately circumvent security measures out of convenience, or make ill- advised attempts to boost productivity Malicious insiders can intentionally circumvent cybersecurity protocols to delete data, steal data for later sale or misuse, disrupt operations, or otherwise compromise an organization or cause damage
- Viruses and worms: o Viruses and worms are malicious software programs (malware) designed to damage an organization's systems, data, and networks A computer virus is malicious code that replicates by copying itself into another program, system, or host file It remains dormant until someone intentionally or accidentally activates it and spreads the infection without the user's or system administrator's knowledge or permission. o A computer worm is a self-replicating program that copies itself into a host program and spreads without human intervention Its main function is to infect other computers while continuing its activity on the infected system Worms often spread through automatic, invisible parts of the operating system Once a worm enters a system, it immediately begins replicating itself and infecting poorly protected computers and networks
- Botnets: o A botnet is a collection of internet-connected devices, such as PCs, mobile devices, servers, and IoT devices, that are infected and remotely controlled by common types of malware Botnet malware typically scans the entire Internet looking for vulnerable devices The goal of threat actors creating botnets is to infect as many connected devices as possible and use g y p the processing power and resources of those devices to perform automated tasks that are normally hidden from the device's users to execute The attackers (often cybercriminals) that control these botnets use them to send spam emails, engage in click-fraud campaigns, and launch malicious attacks for distributed denial-of-service attacks generate traffic.
- Drive-by download attacks: o A drive-by download attack downloads malicious code from a website through a browser, application, or embedded operating system without the user's permission or knowledge The user does not have to click anything to activate the download Simply visit or browse the website to start the download Cybercriminals can use drive-by downloads to insert banking Trojans, steal and harvest personal information, deploy exploit kits and other malware to endpoints
- Phishing attacks: o Phishing attacks use social engineering to trick users into breaking normal security practices and revealing sensitive information such as names, addresses, login information, Social Security numbers, credit card information, and other financial information It is a type of information security threat Most of the time, hackers send fake emails that appear to come from legitimate sources such as financial institutions, eBay, PayPal, and even friends and colleagues. o In a phishing attack, hackers try to trick users into performing recommended actions such as: Clicking on a link in an email that leads to a fraudulent website that asks for personal information or installs malware on your device Opening email attachments can also install malware on a user's device designed to collect sensitive information, email contacts, or allow remote access to the device
- Distributed denial-of-service (DDoS) attacks: o In a distributed denial of service (DDoS) attack, multiple compromised machines attack a target, such as A server, website, or other network resource that renders the target completely inoperable A barrage of connection requests, incoming messages, or malformed packets can cause the target system to slow down or crash and shut down, denying service to legitimate users or systems
- Ransomware: o In ransomware attacks, the victim's computer is typically locked down using encryption, preventing the victim from using the device or the data stored on it Victims have to pay the hackers a ransom in order to regain access to their devices and data Payments are usually made in cryptocurrencies such as Bitcoin Ransomware can spread through malicious email attachments, infected software apps, infected external storage devices, and compromised websites
What are the recent security breaches? List and give examples with dates (Swinhoe, 2022)
- LinkedIn (June 2021): o Professional networking giant LinkedIn discovered a dark web forum posting data on 700 million users in June 2021, affecting over 90% of its user base Hackers dubbed "God Users" have used data scraping techniques to abuse the site's (and other sites') APIs to dump the initial information records of approximately 500 million customers He then boasted that he had sold his entire 700 million customer database LinkedIn argued that the incident was a violation of its terms of service rather than a breach of privacy because no sensitive personal information was disclosed, but the data sample posted by God User included an email address, phone numbers, and geolocation records His social media details, such as gender, could provide malicious attackers with a ton of data and create compelling subsequent social engineering attacks after the leak, according to the UK's NCSC I am warning you
- Facebook (April 2019): o In April 2019, it was announced that two sets of data from the Facebook app were exposed to the public internet Information related to over 530 million of his Facebook users included phone numbers, account names and Facebook IDs However, two years later (April 2021), the data was made publicly available for free, revealing new and bona fide criminal intent associated with the data In fact, given the sheer number of phone numbers that were affected as a result of the incident and available on the dark web, security researcher Troy Hunt suggested that the HaveIBeenPwned (HIBP) credential verification site could allow users to access their phone Added the ability to check that a exists The numbers were included in the published dataset. o “It was never our intention to make phone numbers searchable,” Hunt wrote in a blog post
"My position on it was that it didn't make sense for many reasons Facebook data changed everything He has over 500 million phone numbers, but only a few million email addresses, so over 99% of people miss it when it should be hit.”
- Alibaba [tie with Aadhaar] (November 2019): o For eight months, an affiliate marketer developer used crawler software he created to scrape customer data, including usernames and mobile phone numbers, from Taobao, Alibaba's shopping website in China bottom Both of them sentenced him to three years in prison, although the developer and his employer apparently collected the information for their own use and did not sell it on the black market. o A Taobao spokesperson said in a statement: “Taobao devotes significant resources to combating unauthorized scraping on our platform because privacy and security are paramount We actively detect this unauthorized scraping and It has been remediated and we will continue to work with law enforcement to protect and protect the interests of our users and partners."
- Sina Weibo (March 2020): o Sina Weibo is one of China's largest social media platforms with over 600 million users In March 2020, the company claimed that an attacker had obtained part of its database, revealing his 538 million Weibo users and personal information such as their real names, website usernames, gender, location and phone number declared to have an impact The attacker allegedly sold the database on the dark web for $250. o China's Ministry of Industry and Information Technology (MIIT) has ordered Weibo to improve its data security measures to better protect personal information and notify users and authorities in the event of a data security incident In a statement, Sina Weibo said the attackers could collect publicly posted information and passwords using a service designed to help users find their friends' Weibo accounts by entering their phone numbers claimed to be unaffected However, it acknowledged that the disclosed data could be used to match accounts and passwords if passwords are reused on other accounts.The company has strengthened its security strategy said it had reported the details to the relevant authorities
5 Discuss the consequences of this breach [ CITATION Sun21 \l 1033 ]
- Reputational damage: o Losing the trust of customers and stakeholders can be the most damaging effect of cybercrime The overwhelming majority of people will not do business with companies that have been attacked, especially if they fail to protect their customers' data This can lead not only to lost business, but directly to the erosion of the brand you worked so hard to build.It is difficult to quantify reputational damage due to a data breach on a case-by-case basis, but industry relations told his ITPro: It's due to trust issues and partly due to recovery issues "
- Theft: o A cyberattack on a high-profile bank can present a large loot for the attacker, but the defenses of smaller companies are typically less sophisticated and easier to penetrate, making them less likely to be attacked I'm here Cyber-scams result in financial losses, but stolen data can be far more valuable to hackers, especially when sold on the dark web The Digital Shadows Photon Research team reported that the average price of a login traded commercially on the dark web was a "modest" $15.43 When it comes to domain administrator accounts that grant access to corporate networks (usually auctioned for their value to hackers), prices climb to an average of $3,139, and in some cases to a staggering
$120,000 reached Intellectual property theft is as damaging as years of effort and R&D investment in trade secrets and copyrighted material, and loss of competitive advantage for companies There is a possibility
- Financial losses: o Cybercrime is disproportionately more costly to small businesses than to large corporations as they scale with the size of their business For large companies, the financial impact of a breach can be in the millions, but at scale, the financial impact is just on the radar According to the latest data breach report from IBM and the Ponemon Institute, the average cost of a data breach in 2021 will be $4.24 million, up 10% from the average cost of $3.86 million in 2019 The longer a breach goes undetected, the greater its economic impact For example, the average cost of a data breach identified and contained within 200 days was
$3.61 million However, breaches that took more than 200 days to identify the ad content resulted in an average cost of $4.87 million, a difference of $1.26 million
- Fines: o As if direct financial loss wasn't enough, fines are imposed on companies that ignore data protection laws In May 2018, the General Data Protection Regulation (GDPR) came into effect in the EU The enforcement powers attached to the law are important Fines for violations are €20 million per violation or his 4% of the company's global annual turnover, whichever is greater In 2020, European data authorities imposed fines of US$193 million (€159 million) for breaches of the 2020 General Data Protection Regulation The highest amount imposed is her US$57 million fine imposed on her by French authorities o Although the United States does not have a GDPR equivalent, three states—California, Colorado, and Virginia—have enacted comprehensive consumer privacy laws The three laws have some common provisions: B Right to access and delete personal information and right to opt out of the sale of personal information
- Below-the-surface costs: o In addition to the economic costs of incident response, there are a number of intangible costs that can continue to harm a business long after the event has occurred The impact of operational disruptions tends to be regrettably underestimated - especially among companies with few formal business continuity and recovery strategies - and smaller organizations Those who are having difficulty managing cash flow may face increased premiums or increased costs fall into debt o Cybersecurity and disaster recovery are not IT issues Instead, it is a business imperative Adopting a comprehensive security strategy today can help you avoid downtime if hackers strike tomorrow
6 Suggest solutions to organizations [ CITATION Ber19 \l 1033 ]
- Multi Factor Authentication: o Multi-factor authentication (MFA) protects your account, even if your password is compromised It combines something you know (your password) with something you own (your phone) When you sign in to your account, it sends a code to your phone If cybercriminals crack your password but don't have your phone, they can't access your account. o The best part of MFA is that it is already integrated with most of your accounts like Microsoft Office 365, Facebook or LinkedIn You just need to enable it If there's one thing you learned from this blog, be sure to enable MFA for your personal bank account You're just one weak password away from cybercriminals who are siphoning off your savings
- User Security Training: o People are your weakest link against cyber attacks They love opening attachments and links in emails, which is one of the easiest ways for cybercriminals to collect their credentials The best way to mitigate this risk is to implement a cybersecurity training plan for your entire organization A solid plan should include hands-on learning about what not to click, followed by simulated phishing attempts that resemble today's cybercriminal attacks This learning\testing process should be repeated consistently, this will continuously strengthen your human firewall
- Web & eMail Filtering: o Humans can't capture every attack, so you need additional threat intelligence services to help This service scans email attachments and website hyperlinks, and then safely separates them in the cloud before they reach your users If the attachment or hyperlink is found to be malicious, it will be disabled before your users have a chance to open it You can also set up a filtering service to block certain websites by category and increase productivity by limiting access to social media services
- Threat Detection: o We all have a lock on our front door, right? This key is the equivalent of your organization's firewall and anti-virus software, available to prevent cybercriminals Unfortunately, this key will be activated when a cybercriminal wants to gain access to it The threat detection solution is the equivalent of your organization's alarm system The solution continuously scans your network and PC for threats and sends any suspicious findings to the threat intelligence service for evaluation The service is provided by a team of security and AI experts who will act if it is identified as a threat
II Describe at least 3 organizational security procedures
A security process is a set of activities that must be performed to perform a certain security task or function Procedures are usually created as a series of actions performed in a consistent, repetitive method or cycle to achieve a desired result Once implemented, security processes lead to a set of activities developed to meet the organization's security challenges, facilitating training and assessment Processes serve as the starting point to apply the consistency needed to eliminate vulnerabilities in security processes, thereby contributing to increased security controls within the company Reducing variance is also a smart approach to reduce waste, improve quality and increase efficiency of the security department
Describe at least 3 organizational security procedures
Define security procedures
A security process is a set of activities that must be performed to perform a certain security task or function Procedures are usually created as a series of actions performed in a consistent, repetitive method or cycle to achieve a desired result Once implemented, security processes lead to a set of activities developed to meet the organization's security challenges, facilitating training and assessment Processes serve as the starting point to apply the consistency needed to eliminate vulnerabilities in security processes, thereby contributing to increased security controls within the company Reducing variance is also a smart approach to reduce waste, improve quality and increase efficiency of the security department.
Security procedures
When installing [insert time], all system-level passwords (e.g root, enable, Administration, application administrator accounts, etc.) must be updated All user-level passwords (e.g email, web, network, etc.) are changed according to the organization's system policy, but at least twice a year.
Passwords will not be transferred under any circumstances if electronic y communications are not encrypted.
When using SNMP, the community strings must be configured differently from the normal defaults of "public", "private", and "System", and they must be separate from the password used to interactive login If a keyed hash is available, it should be used (e.g.: SNMPv2).
All systems and user-level passwords must adhere to the guidelines described below o Rules:
Licensed as an unincorporated security administrator, all administrator computer systems must adhere to consistent user ID naming standards.
The rules for passwords should be similar to the following criteria:
Have at least 8 characters Contains at least 3 of the following 4 password complexity requirements Lowercase letters (for example: a-z)
Capital letters (for example: A-Z) Number (example: 1 - 9) Characters (example: (!@#$%^&*)
Do not rely on personal information: family names, pets, etc.
Do not write or store online For remote user access, use password and token
Accessing [Organization]'s network by remote access is not secure because the computer is connected to an analog line, has been authorized for a limited time, and will be managed by an authentication system one-time password or public/private key with a strong password
- Anti-virus procedure: o This protocol defines the requirements that all computers must meet in order to join the [Organization] network and enables effective virus detection and prevention
[Organization] anti-virus software must be installed on all servers and workstations. This method establishes requirements that all computers must meet in order to be connected to the [organization] network and provides virus detection and prevention.
All [Organization] servers and workstations must be installed, supported, and scheduled to regularly run anti-virus software standards Antivirus software and virus signature files are also updated Any infected machine will be disconnected from the network until the information security officer or designee confirms that it is virus-free All incoming and outgoing data and email must be scanned for viruses.
Process set up and implementing procedures
- Evaluation processes may include what needs to be audited, how audit logs are kept, and the objectives of the content being audited
- Administrative: These procedures can be used to divide tasks between those responsible for operating and monitoring the system These are the techniques by which you can ask the database administrator not to view the firewall logs
- Access Control: These are extensions of administrative procedures that teach administrators how to set up authentication and other access control capabilities of various components
- Incident response: These processes include everything from problem detection to problem resolution These protocols should include information on how to include management in the response as well as when enforcement is required
- Physical and environmental controls include not only air conditioning and other environmental controls in rooms where servers and other equipment are located, but also Ethernet connections to prevent them from being compromised abuse.
Identify the potential impact to IT security of incorrect configuration of firewall policies and IDS (P3)
Discuss briefly firewalls and policies, their usage and advantages in a network
- A firewall is a network security device that monitors incoming and outgoing network traffic and decides to allow or block specific traffic based on a defined set of security rules.[ CITATION Cis23 \l 1033 ]
- Firewalls have been the first line of defense in cybersecurity for over 25 years They establish a barrier between secure and controlled internal networks that can be trusted and untrusted external networks, such as the Internet.
- Firewalls can be hardware, software, software as a service (SaaS), public cloud, or private cloud (virtual)
- Firewall policies allow you to group multiple firewall rules together so you can update them all at once, effectively controlled by Identity and Access Management (IAM) roles These policies contain rules that can explicitly deny or allow connections, like the Virtual Private Cloud (VPC) firewall rules [ CITATION Goo23 \l 1033 ]
- Usage: The task of the firewall is very difficult because a lot of valid data must be authorized for the computer or network connection For example, when we visit Quantrimang.com and read news, tips and new technologies, the information and data must be transported from the website to the computer through the network and completed Firewalls must be able to distinguish between legitimate traffic and different types of data breaches To work with excellent connectivity and eliminate bad connections, firewalls use rules or exceptions In most cases, this process is done offline and is completely impossible for the user to view or interact with
- Advantages of Firewall: o Promotes Privacy and Security: Firewalls can play an important role in enterprise security management It provides increased security and privacy from vulnerable services
It prevents unauthorized users from accessing a private network associated with the Internet It keeps your data safe Companies spend millions to protect their systems from external malware attacks o Monitors Network Traffic: Firewalls monitor data from where it enters and leaves your system It offers faster response times and higher traffic handling capabilities This mediation has predefined rules and associated filters A well-trained and equipped team can ensure the security of your system based on data entering and exiting the firewall o Prevent Virus Attack:
Virus attacks are very dangerous to computer systems and can shut down all digital activities quickly Millions of new threats are growing every day, and it's important to stay alert.
He can update his security protocols from a single authorized device It protects your system against phishing attack Firewalls can completely stop hackers or prevent them from becoming easy targets Firewalls are an important blockade against malware and spyware It helps you protect your data from the outside
2 How does a firewall provide security to a network?[ CITATION kas23 \l 1033 ]
- Firewalls decide which network traffic is allowed through and which traffic is considered dangerous Basically, it works by filtering the good from the bad, or the reliable from the unreliable Before getting into the details, though, it's helpful to understand the structure of the web.
- Firewalls aim to secure private networks and the endpoints they contain, known as network servers A network server is a device that "chats" with other network servers They send and receive between internal networks, as well as outgoing and incoming calls between external networks
- Computers and other terminals use the network to access the Internet and access each other However, the Internet is divided into subnets or "subnets" for security and privacy reasons The basic subnet segments are: o External public networks usually refer to the public/global Internet or various peripheral networks o Private intranets define home networks, corporate intranets, and other "closed" networks o Perimeter Network details border networks made up of fortress servers - dedicated computing servers with enhanced security ready for outside attack As a secure buffer between internal and external networks, they can also be used to host any external services provided by the internal network (e.g servers for web, email, FTP) , VoIP, etc.) They are more secure than the external network but less secure than the internal network They are not always present in simpler networks like a home network, but can often be used within an organization's or national intranet
- Filter routers are dedicated gateway computers placed on a network to segment the network These are called network-level home firewalls The two most common segmentation models are protected server firewalls and protected subnet firewalls: o Filtered host firewalls use a single filtering router between the external network and the internal network These networks are two subnets of this model o The protected subnet firewall uses two filter routers: one is called the access router between the outer network and the perimeter network and the other is called the inductor router between the perimeter and the network internal This creates three subnets respectively
- The network perimeter and the server itself can host the firewall To do this, it is placed between a computer and its connection to a private network o Network firewalls involve the application of one or more firewalls between external networks and internal private networks They regulate network traffic in and out, separating external public networks, such as the global Internet, from internal networks such as home p g
Wi-Fi networks, corporate intranets, or national intranets A network firewall can take the form of one of the following device types: dedicated hardware, software and virtual o Server firewalls or "software firewalls" refer to the use of firewalls on individual user devices and other private network endpoints as a barrier between devices in the network These devices or servers receive personalized traffic to and from specific computer applications Server firewalls can run on local devices as an operating system service or as an endpoint security application Server Firewall can also dig deeper into web traffic, filtering based on HTTP and other network protocols, helping to manage what content is coming to your machine, instead of just knowing it's coming from where
- Network firewalls require configuration on many connection types, while server firewalls can be customized to meet the needs of each machine However, server firewalls require more effort to customize, which means network-based firewalls are ideal for an extensible control solution But using both firewalls in both places is ideal for a multi-layered security system
- Filter traffic through the firewall using predefined or dynamically learned rules to allow and deny connection attempts These rules explain how the firewall regulates the flow of web traffic through your private network and your private computing device Regardless of type, all firewalls can filter by a combination of the following factors: o Source: Hence a connection attempt is made. o Destination: Where a connection attempt is intended to go. o Content: What a connection attempt is trying to send. o Packet Protocol: What "language" a connection tries to convey its message in Among the network protocols that servers use to "talk" to each other, TCP/IP is mainly used to communicate over the Internet and within intranets/subnets o Application protocol: Common protocols include HTTP, Telnet, FTP, DNS, and SSH
- The source and destination are communicated through Internet Protocol (IP) ports and addresses The IP address is a unique device name for each server Gateways are a sublevel of any given source and destination server device, similar to offices in a larger building Ports are often assigned for specific purposes, so some protocols and IP addresses using uncommon or disabled ports can be an issue.
- Using these identifiers, the firewall can decide whether the data packet trying to establish a connection should be dropped (silently or with an error response to the sender) or forwarded
3 Show with diagrams the example of how firewall works
Figure 3: Diagrams the example of how firewall works
4 Define IDS, its usage, and show it with diagrams examples
Show with diagrams the example of how firewall works
Figure 3: Diagrams the example of how firewall works
Define IDS, its usage, and show it with diagrams examples
- Define IDS [ CITATION Ben23 \l 1033 ]: o Intrusion Detection System (IDS) A system that monitors network traffic for suspicious activity and issues alerts when such activity is detected. o Although anomaly detection and reporting is the primary function of an IDS, some intrusion detection systems also block traffic originating from suspicious Internet Protocol (IP) addresses when malicious activity or anomalous traffic is detected You can take actions such as blocking. o IDS can be contrasted with intrusion prevention system "IPS" It monitors network packets for potentially malicious network traffic like an IDS, but primarily with the goal of preventing detected threats rather than detecting and logging them is
Figure 4: Intrusion Detection System (IDS)
- Its usage: o Intrusion detection systems are used to detect anomalies with the goal of catching hackers before they do any real damage to your network IDS can be either network-based or host- based Host-based intrusion detection systems are installed on client computers and network-based intrusion detection systems are on the network. o Intrusion detection systems look for signatures of known attacks, or deviations from normal activity These deviations or anomalies are pushed onto the stack and inspected at the protocol and application level Track events such as Christmas tree scans and Domain Name System (DNS) Addicted. o IDS can be implemented as a software application running on your hardware or as a network security application A cloud-based intrusion detection system is also available to protect your cloud-deployed data and systems
Write down the potential impact (Threat-Risk) of a firewall and IDS if they are incorrectly configured in a network
5.1 The potential impact (Threat – Risk) of firewall
- Risky rogue services and management services: Another issue that comes up regularly is running services that shouldn't be running on the firewall Two main causes are dynamic routing, which is often discouraged for use in security devices, and "malicious" routing, which distributes
IP addresses throughout the network and can cause availability problems due to IP conflicts DHCP server Telnet is over 30 years old, but there are still many devices using unencrypted protocols like Telnet Solutions to this problem include hardening the device and ensuring that the settings are correct before using the device in production Many companies have problems because of this However, configuring your device for the functions you actually want to perform and following the principle of least access can increase security and reduce the chances of inadvertent disclosure of sensitive information A malicious service should be running on the firewall
- Non-standard authentication methods: Organizations that use routers but do not comply with corporate standards for authentication For example, a large bank operated all devices in its central data center with the same central authentication system, even though remote offices did not Because the company's authentication policy was not enforced, a remote branch office employee could access his account locally using a weak password and exceed the threshold of failed login attempts before the account was locked out I was able to set it This scenario makes it easier for attackers to access the corporate network from remote offices, reducing security and creating an additional attack vector According to the organization, the central authentication procedure at headquarters should be used at all branch offices
- Security device log outputs: Organizations typically neglect or poorly investigate log output from security devices One of the biggest mistakes you can make when it comes to network security is doing this Not only is there little to no traceability when investigating a breach, but you also don't get alerted if you're under attack
5.2 IDS incorrect configuration to the network.
If the IDS is not configured correctly in any component of the system settings, the following threats and risks equivalent to firewalls can occur:
- Dangers: o Similar to firewalls, IDSs are vulnerable to modification if the same credentials are frequently used across multiple service types, as explained in the previous section, and attackers can gain access to both the firewall and the IDS can. o Attacks from the inside: People who have access to an organization's IDS, such as employees, may alter it negatively to support hostile attacks on the company from the outside Consider them forgers. o Because of system conflicts or maintenance requirements, IDS occasionally experiences brief interruptions; as a result, any unwanted access that occurs during these outages won't be logged, resulting in unreported and unverified traffic. o False statement: IDS aids in identifying security-related issues Apply the appropriate IDS strategy to the system as a result The IDS will be erroneously configured if the incorrect data is utilized for the approach.
- Risks: o Security flaws: Like a firewall, illegal access can occur without being noticed, and data can be accessed, altered, and/or stolen without the administrators being aware of it It could be too late for the organization or users to stop an attack by the time they become aware of it when attackers try to hide their tracks However, occasionally they could be identified later on by manually monitoring internet traffic. o erroneous information Attackers may try to further influence the system if it is configured wrongly by providing it with misleading statistics about the attack on it, making it more vulnerable over time even while the IDS is running.
Define and discuss with the aid of diagram DMZ (Lutkenvich, 2021)
IV Show, using an example for each, how implementing a DMZ, static IP and NAT in a network can improve Network Security (P4)
1 Define and discuss with the aid of diagram DMZ [CITATION Ben231 \l 1033 ]
- In computer networks, a DMZ (demilitarized zone) is a physical or logical subnet that separates a local area network (LAN) from other untrusted networks (usually the public Internet) A DMZ is also known as a perimeter network or shielded subnet.
- All services provided to users on the public Internet should be placed in the DMZ network Externally facing servers, resources and services are usually there Some of the most common of these services include web, email, domain name system, file transfer protocols, and proxy servers Servers and resources in the DMZ are accessible over the Internet, but the rest of the internal LAN is unreachable This approach provides an additional layer of security to your LAN by limiting the ability of hackers to access internal servers and data directly from the Internet.
- Hackers and cybercriminals can reach systems running services on DMZ servers These servers must be hardened to withstand constant attacks The term DMZ comes from the geographical buffer zone established between North and South Korea at the end of the Korean War
- A DMZ provides a level of network segmentation that helps protect your corporate network These subnetworks restrict remote access to internal servers and resources and make it difficult for attackers to access your internal network This strategy works for both personal use and large organizations.
- Organizations place Internet-facing applications and servers in a DMZ to isolate them from internal networks Because the DMZ isolates these resources, even if resources are compromised, attacks are less likely to result in disclosure, damage, or loss
- A DMZ acts as a buffer zone between the public internet and your private network A DMZ subnet is deployed between the two firewalls All incoming network packets are checked using a firewall or other security application before reaching the servers hosted in the DMZ.
- If a well-prepared attacker gets past the first firewall, he should gain unauthorized access to services in the DMZ before he can do any damage These systems may be hardened against such attacks Assuming a well-equipped attacker hijacks a system hosted in the DMZ, they would need to penetrate the internal firewall to access sensitive corporate resources A determined attacker can compromise even the most secure DMZ architecture However, her DMZ being attacked gives a warning, giving security professionals enough warning to avoid a full-scale attack on the organization
1.4 What are the benefits of using a DMZ?
A DMZ's primary benefit is to provide users from the public Internet with access to certain secure services while maintaining a buffer between those users and the private internal network This buffer has several security benefits:
- Access control: A DMZ network provides access control to services outside an organization's network perimeter that are accessed over the Internet At the same time, it introduces a layer of network segmentation that increases the number of obstacles that users must avoid before accessing an organization's private network In some cases, the DMZ contains proxy servers that centralize the flow of internal (usually employee) Internet traffic and facilitate the recording and monitoring of that traffic
- Network reconnaissance prevention: The DMZ also prevents attackers from targeting potential targets in the network Even if a system in the DMZ is compromised, the internal firewall protects the private network, separating it from the DMZ This configuration makes it more difficult to recognize external activity Although DMZ servers are publicly visible, they are backed by another layer of protection The public side of the DMZ prevents an attacker from seeing the contents of the internal private network If the attacker manages to compromise the servers in the DMZ, they remain isolated from the private network by the internal DMZ fence
- Protection against Internet Protocol (IP) spoofing: In some cases, attackers attempt to circumvent access control restrictions by spoofing an authorized IP address to impersonate another device on the network The DMZ can block potential IP spoofers, while another service on the network verifies the legitimacy of an IP address by checking if the address is reachable
1.5 What DMZs are used for
- The DMZ network has been an important part of enterprise network security for as long as firewalls have been in use They are implemented for similar reasons: to protect the organization's sensitive systems and resources.
- More recently, companies have chosen to use virtual machines or containers to isolate parts of the network or specific applications from the rest of the corporate environment Cloud technology has largely eliminated the need for an in-house web server for many organizations Much of the external infrastructure that used to be in the company's DMZ has moved to the cloud, such as software-as-a-service applications.
Define and discuss with the aid of diagram static IP (Gillis, 2020)
- There are different ways to design a network with a DMZ The two basic methods are to use one or two firewalls, although most modern DMZs are designed with two firewalls in mind This approach can be extended to create more complex architectures.
- A single firewall with at least three network interfaces can be used to create a network architecture that contains the DMZ An external network is formed by connecting the public Internet - through an Internet service provider's connection - to a firewall on the first network interface The intranet is formed from the second network interface, and the DMZ network itself is connected to the third network interface.
- Different sets of firewall rules to monitor traffic between the Internet and the DMZ, LAN and DMZ, LAN and the Internet strictly control the ports and types of traffic allowed into the DMZ from the Internet, limiting connections to servers specific local area network and prevent unwanted connections to the Internet or local LAN from the DMZ.
- The most secure approach to creating a DMZ network is a dual firewall configuration, where two firewalls are deployed with the DMZ network positioned between them The first firewall, also known as the perimeter firewall, is configured to only allow external traffic destined for the DMZ The second or internal firewall only allows traffic from the DMZ to the internal network The dual firewall approach is considered more secure because two devices must be compromised before an attacker can gain access to the internal LAN Security controls can be set specifically for each network segment For example, a network intrusion detection and prevention system located in the DMZ can be configured to block all traffic except Secure Hypertext Transfer Protocol requests to the Transmission Control Protocol port lead 443.
2 Define and discuss with the aid of diagram static IP[CITATION Ale23 \l 1033 ]
- A static IP address is a 32-bit number assigned to a computer as an address on the Internet This number is in the form of a dotted quadrilateral and is usually provided by an Internet Service Provider (ISP).
- An IP address (internet protocol address) acts as a unique identifier for a device that connects to the internet Computers use IP addresses to locate and talk to each other on the Internet, the same way people use phone numbers to locate and talk to each other on a phone The IP address can provide information such as hosting provider and geo-location data
2.2 When a static IP address is necessary
- Since static IP addresses are no longer in common use, it is important to keep in mind when using a static IP address Businesses will primarily use static IP addresses if they host servers and websites that require high uptime rates, use voice over IP (VoIP), or have employees who frequently work from home If an employee wants to access their device remotely from home, a changed IP address may require the employee to know the new address Using a remote access application and a static IP address, employees can still access their computers using the same address.
- In most cases, static IP addresses will be used by businesses to support working with FTP, mail and virtual private network (VPN) servers, database servers, network devices, and services web hosting service In these cases, companies that will process a lot of data in these regions will find static IP addresses useful for employees and customers who need to connect to the organization's servers.
- Using variable IP addresses can be difficult with a website host because with each new IP address the router settings will have to change to forward requests to the correct IP address otherwise with this process, no end user can access the IP address website because the router won't know which device on the network is hosting the website.
- DNS servers also often use static IP addresses If the IP address changes frequently, the DNS server will have to be reconfigured on the router frequently.
- When the device's domain cannot be reached, the computer can still connect to the server on the network using a static IP address For example, a computer can always be configured to connect to the server's static IP address instead of its hostname This means that the computer can still connect to the DNS server, even if the DNS server is not working properly.
- Basically, any service or feature that requires a persistent connection should have a static IP address While this may seem obvious to the end user, when an IP address is assigned a new number, any previously logged in users are removed from the connection and then have to wait to find the address just new and reconnect This is why services that require a consistent connection, such as file system services or online games, will use static IP addresses.
- If necessary, the LAN administrator can use DHCP to assign an unchanged IP address An organization or home network almost always needs to use what is known as a dynamic IP address in most other cases because dynamic IP addressing is the most cost effective method
2.3 How static IP addresses work
- Since a static IP address is not provided by default by most internet service providers, if an individual or organization wants it, they must first call their ISP and ask them to assign it to their device, such as a router, a static IP address Once the device is configured with the new IP address unchanged, they will need to reboot their device once The computer or other devices behind the router will use the same IP address Once the IP address is in place, there is no step to manage as it does not change.
- However, the number of available static IP addresses is limited, which means that requesting a static IP address often costs money IPv6 is an idea to solve this problem IPv6 extends IP addresses from 32 bits to 128 bits (16 bytes) and dramatically increases the number of available IP addresses, making it easier and cheaper to obtain and maintain static IP addresses Today, a lot of Internet traffic still uses IPv4, but a lot of Internet traffic is moving to use IPv6, which means both are used today.
- IPv6 allows up to 340 billion unique IP addresses For reference, that's 340 followed by a total of
36 zeros, or 340 trillion, trillion, trillion unique IP addresses that can currently be assigned This expansion of the total number of IP addresses allows for the significant growth of the Internet in the future and eliminates what is considered a future shortage of network addresses
- Companies that rely on IP addresses for mail, FTP, and web servers can have a single, immutable address.
- Static IP addresses are preferred for hosting VoIP, VPN, and games.
- They can be more stable in case of connection interruption, which means that the packet exchange will not be lost.
- They allow file servers to upload and download files faster.
Define and discuss with the aid of diagram NAT (Hanna, 2021)
- A device with a static IP address does not need the device to send a renewal request.
- Network administrators can more easily manage static IP addresses when the servers are running.
- And it's easier for administrators to monitor internet traffic, assigning access rights to users based on IP addresses
- It limits the number of IP addresses A static IP address assigned to a device or website will be occupied until otherwise indicated, even if the device is turned off and not in use.
- Most people don't need a static IP address now.
- Since IP addresses are fixed and cannot be changed easily, static IP addresses are more vulnerable to hackers or later attacks.
- Manually configuring a static IP address can be complicated It can be difficult to transfer server settings from a static IP device to a new device if the original device becomes obsolete.
- Devices with static IP addresses are easier to track.
- Static IP addresses are more expensive, as ISPs will often need static IP users to open a business account and pay a one-time fee Monthly Internet service costs can also add up.
- Security issues with static and dynamic IP addresses can be solved by setting up a router firewall, using a VPN, or using an internet security suite While these do not guarantee absolute safety, they can be of great help
3 Define and discuss with the aid of diagram NAT [ CITATION Kat21 \l 1033 ]
3.1 What is Network Address Translation (NAT)?
Network address translation (NAT) is the process of mapping one Internet Protocol (IP) address to another by changing the headers of IP packets as they pass through the router This improves security and reduces the number of IP addresses an organization needs
3.2 How does Network Address Translation work?
- NAT works by selecting ports located between two LANs:
- internal and external networks Systems within an internal network are often assigned an IP address that is not routable to an external network (e.g the network in a 10.0.0.0/8 block).
- Several valid external IP addresses are assigned to the port The gateway causes outbound traffic from an internal system to originate from one of the valid external addresses It receives incoming traffic destined for a valid external address and sends it to the correct internal system This helps ensure safety Because each outgoing or incoming request goes through a translation process, this process provides the ability to qualify or authenticate incoming streams and match them to outgoing requests, for example.
- NAT maintains the globally valid number of IP addresses businesses need, and combined with Classless Inter-Domain Routing (CIDR), has done much to extend IPv4's useful life NAT is described in generic terms in IETF RFC 1631
3.3 What are the various types of NAT techniques?
- NAT ("natting") mechanism is a feature of routers and is often part of corporate firewalls NAT gateways can map IP addresses in several ways: o statically from local IP address to global IP address; o hide the entire IP address space including private IP addresses behind a single IP address; o to a large private network by a single public IP address using translation tables; o from a local IP address plus a specific TCP port to a global address or group of public IP addresses; And o from one global IP address to any group of local IP addresses on a cyclic basis
- In some cases, the network administrator sets a policy that allows gateway devices to specify mappings based on the intended destination ("select this external address to communicate with Partner A's regional network; select the outside to communicate with partner B").
- Policies can also be used on the protocols used ("specify out of this group for HTTP traffic, this group for HTTPS") or other factors.
- A new way to use NAT that focuses on translating your ISP's IPv4 addresses to IPv6 and vice versa This enables the integration of IPv4 infrastructure and endpoints into the IPv6 environment and enables IPv6 services to interact with IPv4 systems
AS, S., 2021 The Consequences of a Cyber Security Breach [Online]
Available at: https://www.sungardas.com/en-gb/blog/the-consequences-of-a-cyber-security-breach/ [Accessed 13 April 2023].
Beringer, 2019 Five Security Solutions to Protect Your Organization from Cyber Attacks [Online]
Available at: https://www.beringer.net/beringerblog/five-security-solutions-to-protect-your-organization-from- cyber-attacks/
Cisco, n.d What Is a Firewall? [Online]
Available at: https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html
Available at: https://cloud.google.com/vpc/docs/firewall-policies-overview#:~:text=Firewall%20policies%20let
%20you%20group,Cloud%20(VPC)%20firewall%20rules.
Gillis, A S., 2020 static IP address [Online]
Available at: https://www.techtarget.com/whatis/definition/static-IP-address
Hanna, K T., 2021 Network Address Translation (NAT) [Online]
Available at: https://www.techtarget.com/searchnetworking/definition/Network-Address-Translation-NAT [Accessed 16 April 2023]. kaspersky, n.d What is a firewall? Definition and explanation [Online]
Available at: https://www.kaspersky.com/resource-center/definitions/firewall
Lamb, M., n.d 7 Threat Agents Your Cyber Security Team Should Be Aware Of [Online]
Available at: https://www.thedataguardians.co.uk/2019/02/27/7-threat-agents-your-cyber-security-team-should- be-aware-of/
Lutkenvich, B., 2021 DEFINITION DMZ in networking [Online]
Available at: https://www.techtarget.com/searchsecurity/definition/DMZ
Lutkevich, B., n.d Intrusion detection system (IDS) [Online]
Available at: https://www.techtarget.com/searchsecurity/definition/intrusion-detection-system
Rosencrance, L., n.d Top 10 types of information security threats for IT teams [Online]
Available at: https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-threats-for- IT-teams
Swinhoe, M H a D., 2022 The 15 biggest data breaches of the 21st century [Online]
Available at: https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html[Accessed 13 April 2023].