An Introduction to Network Cyber Security

Table of Contents
1.

Overview ............................................................................................................................................... 3

2.

Introduction to Networks .................................................................................................................... 4

3.

Network Cyber Security As Part Of A Holistic Approach ................................................................ 5

3.1. Application Security ................................................................................................................... 5
3.2. Network Security ......................................................................................................................... 6
3.3. Physical Security ....................................................................................................................... 7

4.

Understanding Networks .................................................................................................................... 8

4.1. Building Blocks ........................................................................................................................... 8
4.2. Address Services ........................................................................................................................ 8
4.3. Internet Exchange Points and Topology .................................................................................. 8
4.4. Authentication through Certificates .......................................................................................... 9
4.5. Protocols ...................................................................................................................................... 9

5.

Network Cyber Security Vulnerabilities........................................................................................... 11

5.1. Anonymity and Attribution ....................................................................................................... 11
5.2. Denial of Service Attacks ......................................................................................................... 11
5.3. Spoofing and Man-in-the-Middle Attacks ............................................................................... 11
5.4. Network Interception and Black-holes .................................................................................... 12
5.5. Fake Certificates and Certificate Authorities ......................................................................... 13
5.6. Protocol Attacks ........................................................................................................................ 13
5.7. Sizes of Networks and Traffic .................................................................................................. 13
5.8. Netflow ....................................................................................................................................... 14

6.

Network Cyber Security Defense Capabilities ................................................................................ 15

6.1. Protect Network Infrastructure ................................................................................................ 15
6.1.1.
VPNs ................................................................................................................................... 15
6.1.2.
Backbone Hardening ........................................................................................................... 15
6.1.3.
Firewalls .............................................................................................................................. 16
6.2. Defend Network Operations ..................................................................................................... 16
6.2.1.
Intrusion Detection Systems ............................................................................................... 17
6.2.2.
Malware Signatures ............................................................................................................ 17
6.2.3.
Deep Packet Inspection ...................................................................................................... 17
6.3. Analyze Network Activity ......................................................................................................... 17
6.3.1.
Situational Awareness ......................................................................................................... 18
6.4. Test Network Security .............................................................................................................. 18
6.4.1.
Black, Grey and White Hat Hackers.................................................................................... 18
6.4.2.
Penetration Testing ............................................................................................................. 19
6.4.3.
Vulnerability Scanning ......................................................................................................... 19
6.5. The Exploit Wheel of Life ......................................................................................................... 19
6.5.1.
Virtual Task Forces and Information Exchanges ................................................................ 19
6.5.2.
Virtuous Cycle ..................................................................................................................... 20
7.1. Growth Figures .......................................................................................................................... 20

7.

Markets ............................................................................................................................................... 22
8.1. Protection................................................................................................................................... 22
8.2. Defense/Interception ................................................................................................................. 22
8.3. Analysis and Situational Awareness ...................................................................................... 23
8.4. Active Test ................................................................................................................................. 23

8.

Growth Areas ..................................................................................................................................... 25

9.

Ultra Solutions ................................................................................................................................... 25

Ultra Electronics, 3eTI 2012

May 2012

An Introduction to Network Cyber Security

1. Overview
This paper provides an overview of network cyber security, what it is, and an explanation of some of the
terms. Cyberspace can be divided into the following assets: devices, data, networks, and people
(Diagram 1). Securing those assets is the job of cyber security. Many of us are familiar with cyber security
products designed to protect devices, such as anti-virus or login passwords. We are also familiar with the
concept of encryption to protect data, but what about network security? Data needs to be communicated
and therefore networks are required in order to make use of that data in a wider context. We use cryptos
on networks (such as military data-link cryptos, or hardware VPN cryptos) but these devices are really just
protecting the data flowing over the networks rather than the infrastructure or operation of the network
itself.
Cryptography plays a large role in network cyber security, but it is not the only one. Cryptography can
also play a larger role than just traffic encryption within network cyber security, and some of those ideas
will be presented here.
Networks are easy to understand and have many obvious analogies in the real world. This paper should
help the reader understand what computer networks are, facilitate ongoing discussions and avoid
confusion, by providing a common understood baseline and terminology.

1.1. How to read this document

This document is divided into three sections; an introduction into how networks work and how they are
vulnerable, an overview of the different network cyber security protection areas, and a model and market
assessment of the network cyber security space.
While it is possible to solely read the last section and bypass the other content, this is not advisable.
Networks are commonly misunderstood especially with regards to network cyber security. Just reading
the model section or concluding strategy could perpetuate the misunderstandings, and confuse the
reader further.
In this vein, some may find the analogies used in this document too simple, and for that, an apology is
offered. However, networks are for the most part simple to understand and it is the authors intent to
provide examples that will prove to be enlightening.

Ultra Electronics, 3eTI 2012

May 2012

An Introduction to Network Cyber Security

2. Introduction to Networks
Computer networks are one of those technologies which most people have heard of, and have an idea of
what they are, but do not necessarily understand. When most people hear the term computer network
they immediately think of wires and cables strung between boxes. Networks do not exist without the
wires or physical network, but it is not what makes transportation across them possible.
A good analogy when thinking of computer networks is the road infrastructure. The surface of the road
defines where the road is, but it is the extra elements such as traffic lights, speed limits, drivers licenses,
cars, lorries, bridges and roadmaps etc., that make transportation across it possible. Without highway
laws, safe vehicles, signposts and maps, the roads would just be stretches of tarmac without any
purpose. Computer networks are the same, the easy part is putting the cables in the ground and
connecting them together, the hard part is getting traffic to flow through them correctly and reliably from
source to destination all across the world!
Attackers can manipulate and disrupt a network and its traffic by hacking these other elements. It is the
role of network cyber security to act as the police of the system and to try and ensure the infrastructure
remains as reliable and accessible as possible.

Ultra Electronics, 3eTI 2012

May 2012

An Introduction to Network Cyber Security

3. Network Cyber Security As Part Of A Holistic Approach

As we said in the introduction, cyberspace can be divided into devices, data, networks and people. Each
one of these areas needs their own cyber-security in order to protect the whole. Putting advanced
cryptography between the computers on a network will protect against anyone listening into your
communications, but will do nothing to stop the spread of malware introduced from an infected USB stick.
Instead a holistic approach across all of these areas is required (Diagram 1).

Diagram 1 Cyber Security Defined

3.1. Application Security

Application security sits at the nexus between devices and data. Applications are made from data, but
they are created to manipulate devices. For instance your computer is a device, but what makes it useful
is the software that runs on it manipulating the 1s and 0s stored in memory. Therefore applications are
written for the purpose of performing a task. If the application behaves as expected, then given a known
input the application should provide a deterministic output. Should an attacker manipulate the input to an
application or even the applications behavior itself then the output would no longer be what the creator or
operator had intended and could have damaging consequences. While this can prove frustrating on a
home computer, it can have a severe impact on an industrial control system such as a power station.
Applications therefore need some security controls to protect them from malicious manipulation. This is
not easy as applications are very complex, therefore it is difficult to identify standard and non-standard
behavior. Manipulations can also be very subtle, making their presence difficult to detect. Applications
therefore use a variety of techniques such as memory randomization (where its code doesnt always
exist in the same location when it is run), encryption, permissions (define who can do what), and input
checking to protect themselves from outside manipulation. Applications can also be cryptographically
signed to authenticate to the user and device that they havent been manipulated since they were
produced by their creator. There are also specific security applications such as anti-virus whose function
it is to look for and identify malicious applications or behavior denoting an attack. However, this is not
easy, as there is a constantly changing array of malicious applications that the anti-virus application has
never even seen before.
One interesting statistic to look at is that it is estimated that there is one software bug in every thousand
lines of code, which when typical applications run into the millions of lines of code provides a large
number of software bugs. It are these bugs that attackers exploit, using them to make an application

Ultra Electronics, 3eTI 2012

May 2012

An Introduction to Network Cyber Security

perform in an non-standard manner, and potentially allowing them to do unauthorized or designed tasks.
Anti-virus products themselves are large complex pieces of software, and themselves are not immune to
being the vector through which an attacker successfully gains control over a system.
As a result, the application space is not an open no-holes barred playground. Operating systems and
vendors have worked hard to try and enforce stricter rules on access and authentication for certain
operations. A simple username and login prompt can provide an acceptable level of application security in
certain circumstances. Otherwise, granular control over which files, folders and system operations a user
can manipulate can be implemented to protect against malicious behavior. This stops an exploited piece
of software such as a word processing application from being able to maliciously change the underlying
operating system.
However, because the application space is all software and it is very difficult to write perfect bug free
software, application security will always be required. Without it, there could be no guarantee that a
computer or task was being carried out as the designer and operator intended.

3.2. Network Security

Just as a system can be attacked in a number of different ways, there are a number of different types of
defenses that can be used to protect it. We are all familiar with the use of encryption as a way to harden a
network and add confidentiality. This is an example of an infrastructure hardening process a static
security control that by virtue of its operation stops a number of attacks from succeeding. However, as we
pointed out with the USB example, these protections can be overcome, so real-time monitoring controls
are also used.
Monitors and intelligence gathering tools sit in a system and attempts to discover and stop attacks by
inspecting ongoing activity. One common example of a device monitoring control is software anti-virus.
Anti-virus sits on your computer and tries to detect malware infections in real-time. Between hardening
and monitoring a large number of attacks can be prevented, however these protections are never perfect.
Imperfections in the way a system operates or communicates can introduce vulnerabilities that are not
protected against.
Therefore a third layer of security control is required to cover these situations. These analysis controls sit
outside of the day-to-day operation of a system or network, and observe behavior. Then through the
reported information the analysis controls try to identify when anomalous behavior is occurring or if there
are other signs of compromise. The analysis products can be thought of as providing situational
awareness on the activity of a network or system, and able to find needles representing attackers in a
haystack of normal activity. There is a final level of security called exploit, in which hired experts test the
veracity of your security. In cyber security these are known as penetration tests or ethical hacking.
These levels of cyber security have analogies in the physical space. We build walls and doors
representing hardened controls, we use night watchmen and security guards as monitoring controls. And
we have police investigation teams and forensic examiners to discover evidence of successful attacks.
Together these three types of security create defense in depth preventing many attacks and minimizing
the impact from successful ones. Throughout the rest of this paper the subject of networks and network
security will be explored in more detail, as this is one of the clearest examples of where security is more
than encryption, and where encryption provides more than just confidentiality.

Ultra Electronics, 3eTI 2012

May 2012

An Introduction to Network Cyber Security

3.3. Physical Security

Critical Infrastructure (CI) must be built on a foundation of both physical and cyber security. Infrastructure
and site surveillance is imperative with the increasing concern for security and safety due to the threat of
terrorism and protection of critical assets. The best chance of preventing disruption to a facility is to create
an interactive perimeter that detects intruders and alerts you to potential threats before they occur.
Physical security likewise provides a valuable piece of the cyber security solution. Specifically it can be
used to enhance the protection against attacks by people (whether intentional or unintentional). Users are
one of the most common vectors for cyber attack. For instance manipulating someone into using an
infected USB stick can compromise an air-gapped system, or socially engineering someone in giving an
unauthorized person access a restricted or critical area. By protecting and monitoring access to critical
servers, removing physically access to USB drives, or identifying when tampering occurs to remote
systems, the whole cyber security posture is elevated.

Diagram 2 Physical Security Integrated

Ultra Electronics, 3eTI 2012

May 2012

An Introduction to Network Cyber Security

4. Understanding Networks
4.1. Building Blocks
Almost all IP networks are built from the same few building blocks, from small office scale networks to the
expanse of the Internet. Combined together
together, these building blocks create a useful network infrastructure
over which any type of data can flflow. The utility of a network is its purpose, should an attacker
successfully attack one of the building blocks, they will then disrupt the usefulness of the network and
therefore cause the same damage as if they cut the wires themselves. So what are these building blocks?
(Diagram 2)

Diagram 3 - Network Building Blocks

With the exception of certificates, each of these technologies w

were designed to make networking easier
rather than more secure and are therefore
herefore inherently insecure and vulnerable. Security researchers are
only now beginning to try and add security to these elements, and new vulnerabilities within them are
being discovered all the time.

4.2. Address Services

The Address Services are the phone directory of the network. They provide each d
device
evice with a unique
address (e.g. phone number) within the network. They also provide the translation service from a textual
web address, such as google.com, into the unique numerical IPv4/6 address, such as 192.168.2.1. The
most common address service protocols
tocols are DHCP, which provides your computer with an IP address on
a local network, and DNS which translates web addresses into Internet IP addresses.

4.3. Internet Exchange Points and Topology

The Internet is not, as is commonly thought, one large mesh networ
network of computers all interconnected.
Instead, think of it as many cities connected to each other via large highways. Each Internet Service
Provider (ISP) can be thought of as a city, comprising a large number of houses (or computers);
computers) these are
called Autonomous
mous Systems (AS). All of the ASs are joined together via big
big, super-fast
fast connections. In

Ultra Electronics, 3eTI 2012

May 2012

An Introduction to Network Cyber Security

order to get from one house in one AS (city) to another house in another AS, you have to plan your
journey just as you do for a road trip, which involves traversing the citys roads as well as the inter-city
highways. The same is true for networks, you use internal routers to get through each AS, and external
routers to get between ASs. Both external and internal routers are needed if large networks are to be
deployed. Do not confuse the geographical topology of networks with the network topology of ASs. There
is some commonality due to the locations of wires and computers, but the network topology is primarily
determined by an ASs architecture across its user base.
The Internet was initially designed to be robust and adaptable to
the loss of any given link. The Internet is still very capable of
quickly routing around lost connections, but it is not as robust as
most people think. Due to economic pressures, the Internet
actually has a relatively small number of critical nodes (called
Internet Exchange Points) through which a very large amount of
traffic passes. Should these be disrupted or destroyed, it is
uncertain how well the rest of the network would operate. These
include the Deutscher Commercial Internet Exchange (1120 Gbps),
Amsterdam Internet Exchange (912 Gbps), Equinox Exchange
(990 Gbps) and London Internet Exchange (743 Gbps) with their
average throughputs.
The Internet Topology (Diagram 4) clearly illustrates some of these
primary interconnects.
Diagram 4 The Internet Topology
(Opte Project: http://opte.org/)

4.4. Authentication through Certificates

Computer networks are intrinsically anonymous. Anyone can obtain an IP address and therefore be
reached from anywhere else, but ironically having an IP address does not tell you anything about the
computer at the end of it. Similar to the phone network, you can sometimes misdial or become
erroneously connected. We therefore rely upon the trustworthiness of the person at the other end of the
phone to answer and correctly identify themselves. The phone system does not have any way to do the
authentication for us. The same is true of computer networks; we rely on the computer at the other end of
the IP address to be who they say they are. While this scenario is acceptable for family, friends, etc., it
does not provide enough authentication for businesses such as banks or the government. Computers
therefore utilize certificates (similar to passports) to provide identification. These certificates are issued by
a third party (called a certificate authority), and are secured against duplication or fraudulent use through
encryption. When a user connects to a remote computer, the remote computer sends back their correctly
issued certificate, bound to their address so as to prove their identity. These certificates cannot easily be
altered, and as they are tied to an identity such as a web address (e.g. google.com), an attacker cannot
substitute one of their own. Obviously should an attacker obtain a certificate for a site they do not own, it
is possible that they can reliably masquerade as that site. This is exactly what happened at the certificate
authorities Commodo and DigiNotar and caused a large upheaval to Internet operations.

4.5. Protocols
The final IP network building block involves protocols. Protocols can be thought of as the Highway Code,
everyone needs to know them and follow them in order to use the network. The most common ones are;

Ultra Electronics, 3eTI 2012

May 2012

An Introduction to Network Cyber Security

IPv4 which describes how to label a packet, and TCP which describes how to reliably send packets.
There are many more which are intrinsic to the working of a network, but it is not necessary for the
purposes of this discussion to look at these in detail. What is important to understand is that networks are
bound to these protocols; they need to use them in order to interoperate. Network protocols are open and
available for anyone to understand and implement, and as a result, computers and networks operate in a
predictable and pre-determined manner.
Networks are designed to carry traffic, therefore there are some aspects of network operation and
network security which require viewing the traffic itself. Inspecting the traffic through a network could be
thought of as a part of data cyber security, however there is a fine line differentiating the two, so for the
purposes of this discussion, they will be deemed as part of network cyber security.
Networks operate by inspecting the headers of the traffic that flows across them as this is where the
destination addresses are given. A great deal of extra information can be obtained by looking further into
a packet of data rather than just observing its header. Network monitors are designed to do just this, and
is termed deep packet inspection or analysis (DPI). DPI sounds impressive, but it only describes the act
of looking at more than just the header. As with real-life, reading is the easy part, its the understanding of
what you have just read that is difficult.

Ultra Electronics, 3eTI 2012

10

May 2012

An Introduction to Network Cyber Security

5. Network Cyber Security Vulnerabilities

We have discussed that networks are made up of lots of computers all delicately stitched together using a
few key building blocks. Keeping these building blocks running efficiently is the job of network
management, and keeping them safe from attack is the job of network cyber security. Attackers are
typically trying to attack or manipulate one or more of these building blocks in order to achieve their
objective.
The majority of standard networks (including the Internet) were designed and implemented with no
inherent authentication, access control or attribution. Instead it was designed for utility and robustness.

5.1. Anonymity and Attribution

Security was not really a consideration when the majority of network infrastructure components were
invented. As a result, networks are inherently vulnerable to a number of attacks. One of the largest and
most intractable is that attackers, and their attacks, are for all intents and purposes anonymous. The only
indication of where an attack came from is the sender address of the attack packet, but an address does
not prove who sent it, only where it was sent from, and even then this address can easily be forged.
It is common for attackers to use a previously infected system as an unwitting victim from which to launch
their attack on a more sophisticated target. This maneuver will lead any subsequent investigation by a
sophisticated investigator to the first victim rather than the attacker. This begs the question, are all attacks
that seem to originate from China actually the result of Chinese hackers? Or are attackers routing their
attacks through China knowing no further investigation from there will be possible?
Due to the lack of inbuilt security, each building block of the network is vulnerable to different attacks.
Networks by definition are broadcast mediums, any device along a packets journey can view the packets
going through it, and so in that regard confidentiality is not expected. Therefore encryption devices such
as in-line encryptors are used to make data confidential before they ever enter the network.

5.2. Denial of Service Attacks

IP computer networks were originally designed to solve the availability problem, by utilizing a packet
switched architecture, IP networks are able to reroute around congestion or broken connections and they
make full use of the capacity of a link in a way that circuit switched networks could never do. What they
were not designed to protect against was intentional flooding of data to a single destination. This is what
is known as a denial-of-service (DoS) attack. There are so many spam packets sent to a receiver that
they do not have the resources to sort through and ignore the bad packets and only handle the legitimate
ones. As a result, the receiver shuts down under the load and legitimate communications are undelivered.

5.3. Spoofing and Man-in-the-Middle Attacks

The most dangerous element of a network to attack is the integrity of it. If an attacker can manipulate the
addressing, routing or certificates of a network, they can then control who talks to whom and impersonate
anyone they want (e.g. your bank or your company). Just like maps only work if the road layout and
signposts are correct, networks only work if the routing, addressing and certificates of the network are
accurate and not manipulated.
Address services are vulnerable to two main types of attack; corruption and impersonation. Clients send
requests to address services, such as what is the IP address of google.com, or what is the address of the
Wi-Fi base station, and address servers return the answers. If an attacker can manipulate the information

Ultra Electronics, 3eTI 2012

11

May 2012

An Introduction to Network Cyber Security

in the address servers, then they will give clients the wrong information and clients will unwittingly connect
to the wrong destination. The other way to manipulate the address services is to impersonate it. If an
attacker can listen for a clients request and impersonate a reply before the real address server can, then
the client will use the information provided by the attacker. This is known as spoofing, and occurs
because there is an historical inherent trust of the address services. This is slowly changing with the
addition of technologies such as Domain Name System Security Extensions (DNSSEC), but we are far
from this point yet. Apart from directing computers to the wrong destinations, attackers can also pretend
to be the Internet access point, and have computers connect through them. This enables them to act as a
man-in-the-middle and view all the traffic and manipulate it as they see fit. The ability to act as a fake
destination or gateway allows an attacker to completely control the conversation and manipulate any of
the data passing through it. An attacker could for example, capture all of your login information or even
send fake email from your account.
It is the integrity and legitimacy of address services that are attacked by hackers; if they control the
address services they control the destination of traffic. Network defenders are therefore on the lookout for
address service impersonators or manipulations to the address service information, but as attacks
become more sophisticated this becomes more difficult.

5.4. Network Interception and Black-holes

Router and address service attacks are sometimes confused with one another, but in reality are very
different. Referencing a postcard analogy, address service attacks attempt to change the address of the
postcard but let the postal service deliver it as normal. Whereas router attacks leave the address on the
postcard alone, but manipulate the post office into sending the postcard to the wrong depot.
Routers, both internal and external, are constantly communicating with each other, passing information
about congestion, open/closed links, and whom they are connected to. This enables all the routers to
maintain a common operational picture (COP) of the overall network. As long as all the routers have a
similar and accurate COP, they can then route any packet to any destination reliably and accurately. If an
attacker can manipulate this information, e.g. tell the U.S. that the quickest way to communicate with the
U.K. is through South America, then just like your GPS system will re-route you along the fastest roads,
traffic will begin to flow along the manipulated sub-optimal route. There are two reasons for doing this,
either the attacker would like to monitor all of your communications, and therefore route that traffic
through their own systems, or they want to stop any traffic reaching a destination so they purposely route
traffic away from it. Traffic routed away so it never reaches its destination is called black-holing. Network
black holes are areas unreachable by other parts of the network due to routing inaccuracies. If an
attacker does not want to black-hole a destination, but rather intercept and read all of their traffic, then
they change the routes so that all traffic goes through them en-route to the destination.
So for the correct and reliable operation of a network, defenders need to ensure that the routing
information is accurate and not manipulated. Defenders however, cannot lock down routing tables and
stop them from being changed without limiting the ability of routers to handle changing conditions.
Optimal routes change all the time due to network outages/maintenance or congestion, routers need to
keep abreast of these changes to ensure a continuously reliable and robust network. If routers cannot
exchange operational information and update routing tables they will become brittle and potentially
collapse.

Ultra Electronics, 3eTI 2012

12

May 2012

An Introduction to Network Cyber Security

5.5. Fake Certificates and Certificate Authorities

Networks can be manipulated and therefore clients need to ensure the identity of the computer at the
other end of the network. Certificates are used as a form of ID, therefore if any attacker manipulates the
address or routing of traffic, the resultant destination computer will not be able to provide the correct ID
and the client will know something is amiss. When browsing the Internet, any site that uses HTTPS is
using a certificate to verify its identity and so theoretically can be trusted. However, just like with any form
of ID, you need to prevent an attacker from forging a fake one. This is done by using certificate authorities
(CA) whose job it is to verify the identity of the requester and sign their certificate. Every browser comes
with a copy of these CAs signatures so they can validate the authenticity of any certificate it receives. If
the certificate is not signed by one of the trusted CAs, it will warn the user that it is potentially fraudulent
and dangerous. But how do you sign certificates for sites all around the world in different countries and
jurisdictions? There does not exist an international U.N. style body that can oversee this operation, so
computer web-browsers end up having to trust at least 50 independent CAs from all around the world.
These range from small companies to large ones and include the Hong Kong Post Office and Coventry
City Council, and the scary part is that the web-browsers trust them all equally regardless of who they are!
Attackers routinely target these CAs and attempt to get their fake certificate IDs signed by the CA to make
them appear legitimate. If they are able to do this, then they could have a victim connect to the wrong
destination and send them a legitimate appearing certificate for their bank, thus bypassing the computers
inbuilt security tools and giving no warning to the user of the fraudulent activity.

5.6. Protocol Attacks

CA attacks aside, most network attacks (including some on address services) are in actuality attacks on
protocols. Every computer follows set rules for how they communicate with each other, hackers
periodically find out that if they go off script in certain ways, they can then manipulate the protocol and do
things they should not be able to do. Network defenders need to look for times when deviations to
network protocols are occurring and try and prevent any impact arising from it. This is notoriously difficult
to do, because at first glance both parties are following the protocol. Protocol manipulation is analogous
to a Derren Brown magic trick (see plenty of YouTube clips for more explanation).
As you can imagine, cyber attacks to a networks availability tend to be obvious and destructive, either a
denial-of-service flood or traffic is routed to the completely wrong destination. Attacks to a networks
integrity tend to be more subtle and difficult to identify, especially when you are not looking for them. Thus
network cyber defenders introduce proactive security measures such as DNSSEC, and firewalls to
prevent these attacks, and use network monitoring measures such as intrusion detection, and DPI to
detect signs of an attack that has penetrated their protections.

5.7. Sizes of Networks and Traffic

Like all investigative security controls, it is very difficult to detect an attacker or attack amongst all the
legitimate activity. This is especially the case within computer networks. The Internet currently routes
around 7,700 GB/s, which is around 1,600 DVDs every! It is inconceivable that anybody or machine could
look at, or effectively analyze that volume of data in real-time let alone store it. Monitoring the backbone
of the Internet is not feasible, therefore instead of capturing and looking at a large amount of data,
situational awareness is normally achieved through lots of sensors or probes distributed throughout the
infrastructure, each looking at smaller amounts of data, and then fusing the results.
A dispersed set of network monitors can provide a good picture of what is happening across the whole
network at any given moment, and tools can be used to measure the pattern of traffic now versus

Ultra Electronics, 3eTI 2012

13

May 2012

An Introduction to Network Cyber Security

historically. This trend analysis is utilized to identify anomalous data streams and potential attacks. To
describe this as looking for a needle in a haystack is very apt although a little misleading, because most
security assessors actually remove all of the hay until just needles remain. In other words, they identify
normal traffic and then discard it from the analysis until only the unusual traffic remains.

5.8. Netflow
Even within a medium sized office, the amount of traffic flowing over the network will probably be too
large to capture and store without being prohibitively expensive. Attempting to copy all of the letters a
postman delivers in one day is almost impossible, but asking him to make a note of the sender and
destination post codes (zip codes) is not. In the network cyber security arena this function is called
Netflow. Network monitoring systems, such as Intrusion Detection Systems (IDS), make a log of netflow
which allows them to keep track of who is talking to whom without actually storing what is being said.
Netflow can be thought of a social network map of a network. Obviously this data in and of itself is very
interesting, and there are many products and systems in the cyber space to analyze and make inferences
on netflow data.

Ultra Electronics, 3eTI 2012

14

May 2012

An Introduction to Network Cyber Security

6. Network Cyber Security Defense Capabilities

So now we understand the basics of computer networks, their building blocks and some of the inherent
vulnerabilities. In this section we will describe the main cyber security areas which work to keep networks
running reliably and identify attacks (identifying attackers still runs into the attribution problem).
We separate network cyber security into 4 main areas:
1.
2.
3.
4.

Protect the network infrastructure

Defend network operations
Analyze network activity
Test network security (or attack if you prefer)

Each area has a unique role in securing networks and all four are required in order to maintain the
operational reliability and integrity of computer networks. As we look at each in detail we will see that the
securing of networks is really the securing of the integrity of networks, which is to say that we continue to
ensure that network operational information is both accurate and authentic.

6.1. Protect Network Infrastructure

A large part of protecting the network infrastructure involves protecting the network traffic which can be
achieved through encryption, but also includes firewalls and network access controllers.

6.1.1. VPNs
In addition to the standard in-line encryption, networks also utilize virtual private networks (VPNs) to
protect network traffic. Most business people are familiar with VPNs, and that it is a technology that
allows them to gain access to their companys networks while out of the office. VPNs are in fact a suite
of protocols that are used to securely identify and authenticate both your computer and your offices
network over a public network (e.g. the Internet) and to exchange encryption keys. Once both parties
have guaranteed the identity of each other, they utilize an encrypted tunnel to securely communicate.
The VPN protocols used are just part of the IPSec suite of protocols or HAIPE (for government use).
The traffic will be protected provided that authentication and identification steps are properly executed.
However, as was discussed in the previous certificates section, if someone else is able to obtain a
false certificate, they could potentially intercept your traffic and view all of your data.

6.1.2. Backbone Hardening

Obviously traffic encryption must be performed between two points, and for individual traffic streams,
this is easy to accomplish using software or in-line encryption such as IPSec or HAIPE. In this
example, the traffic is encrypted between source and destination. What about a network backbone,
can that be encrypted? The first question that should be asked is why? If you are encrypting the
network backbone then by definition, before traffic reaches the backbone, it will be unencrypted. When
it leaves the backbone it will have to be likewise unencrypted. Therefore the only reasonable
assumption for encrypting a backbone is that you are concerned that someone will manipulate or read
the information while it resides on the network. Given the size and speed of a network bandwidth, this
assumption is far-fetched, and the addition of any encryption would negatively impact the operation of
the backbone routing causing larger issues.

Ultra Electronics, 3eTI 2012

15

May 2012

An Introduction to Network Cyber Security

Once you have protected the data and want to send over the network, you then need to ensure that
the data reaches the correct destination reliably. Specifically, this means ensuring that the routing
tables and link advertisements communicated by internal and external routers are accurate and
originate from an appropriate source, e.g. they have not been made up or modified by an attacker.
Integrity and authenticity is possible through the use of digital signatures and certificates. Each router
digitally signs their information before they circulate it, removing the possibility of an attacker
spamming the network with false information. This requires all routers to have crypto hardware within
them to perform the signature protocols. The cost of doing this is very expensive in terms of resources
and time. It is most costly when links are changing which is the exact moment that you do not want
extra overheads! Furthermore, this only prevents non-routers from advertising false topology
information and does not prevent a malicious router from producing false topological information.
Whilst this is not necessarily a problem when the entire network is under your control, the Internet
relies on external routers all around the world to share information including those in Russia and
China. Although we could determine that the information they sent to us is authentic and accurate as
provided, we have no idea as to its veracity.
In addition to secure routing, there needs to be secure addressing so that you can accurately
determine your own location, the gateway to the network and your final destination. Mechanisms such
as Secure DNS are being deployed to provide solutions to some of the issues, but other ones such as
gateway discovery (through the ARP protocol) are still vulnerable. Just as with securing router
advertisements, secure DNS utilizes certificates and digital signatures to provide integrity and
authenticity of its data.
Thus the protection or hardening of networks is not necessarily through the encryption of the data
passing through them, so much as ensuring the integrity and authenticity of the operational and
management data. This means that as network hardening is rolled out, there will be an increasing
reliance on certificates and the security of root authorities (certificate signers), and thus on the
encryption devices used within them. The more signatures and certificates are used, the more need
there is for crypto.

6.1.3. Firewalls
Firewalls are one of the cornerstones of the protection of network security they are the stateful
machines that stop unsolicited communications from entering a system. Firewalls only allow traffic out
of the network and only allow traffic from a known and specified source in. Typically the known source
is either specifically listed (e.g. another company office) or it is the reply from a site with whom
someone inside the network is trying to communicate with. For the most part firewalls are very good at
keeping out unwanted traffic, however sophisticated attacks such as TCP injection can find holes in
their operation.

6.2. Defend Network Operations

Protecting the network traffic and hardening the infrastructure will help create a reliable and robust
communications medium for computers. The increased use of encryption and certificates will help prevent
attacks on the infrastructure, but will not prevent them all. Furthermore, they will prevent attacks targeting
end-devices that only use the network as a delivery and communications tool. Many attacks such as
Advanced Persistent Threats and computer viruses use the network to infiltrate a companys systems and
continue their attack. These attacks actually require the continued existence and reliable operation of the
network in order to succeed. Therefore, one of the most important and often overlooked aspects of
network cyber security is to monitor the activity over the network and search for attacks or patterns. Given

Ultra Electronics, 3eTI 2012

16

May 2012

An Introduction to Network Cyber Security

that networks operate and are attacked at network speeds, the network defenses also need to operate at
these speeds which means being directly connected to and monitoring the network traffic in real-time.

6.2.1. Intrusion Detection Systems

One common network inspection tool is the Intrusion Detection System (IDS). This is a fancy name for
a system that monitors the netflow of a network and looks for anomalous activity indicative of an attack
or signs of a previously identified one. These systems are not perfect and tend to produce a lot of false
positives and negatives, but they are getting better. The reason for using them is that attacks typically
happen in machine time and the volume of data produced by a network is too great for human analysis
alone. Therefore, computer systems are used to help remove all of the hay before a human analyst
looks at the remainder for signs of needles.

6.2.2. Malware Signatures

Just like policemen use mug shots to look for known criminals, network inspection systems use
signatures to look for known attacks. Malware is made of 1s and 0s, therefore when you find a unique
string of 1s and 0s in a piece of malware you could use it as a signature to look for it again. This has
worked very well, however recently malware writers have begun to create polymorphic code which is
code that constantly changes every time it copies itself. This essentially means it is constantly putting
on a new disguise making it harder and harder for the network police to recognize them. Thus
advances in pattern recognition, intelligent processing and inference are required to build more
intelligent network policemen.

6.2.3. Deep Packet Inspection

The more sophisticated defensive network inspection tools are called deep-packet-inspection systems
(DPI). IDSs are only really looking at the netflow of packets, and looking for malware signatures. DPI
systems look more closely at the packets and how they fit into known protocols. This allows them to
identify if a traffic stream is encrypted, if it is real time (e.g. audio/video), if it is command and control
information, or just a web page. The purpose of a DPI system is to look at traffic streams and infer all
the information possible about it (the meta-data). Computers and networks operate according to
known protocols, they must follow these if they are to effectively communicate with each other. DPI
systems look at the network traffic and identify what protocol/language they are speaking, where in the
conversation they are, and who is talking. If the data is unencrypted it will also be able to understand
what is being said. The real power of DPI systems is not just in the ability to understand a
conversation, but to record that information in a database, and use sophisticated analytical techniques
to look for patterns and anomalies. Due to the complexity and variability of the data, human analysis is
almost always required. Clever visualization and rendering applications are required to help analysts
identify what they are looking at.

6.3. Analyze Network Activity

Network monitors are the police force of a network, constantly looking at activity for anything suspicious,
such as late night connections to servers in Russia, or short periodic encrypted transmissions to similar
port numbers at different locations. And just like a police force they are divided into two camps, those that
are on the street looking for crime in progress, and those back in the office going over evidence looking
for an attack or analyzing a successful one.

Ultra Electronics, 3eTI 2012

17

May 2012

An Introduction to Network Cyber Security

6.3.1. Situational Awareness

There are plenty of viruses and malware in existence that have yet to be classified and a signature
produced, and there are more and more sophisticated malware for which signatures may never be
produced. Therefore instead of looking for exact pieces of malware, network activity analysis looks for
signs/indications of the presence of malware and who might be infected. This type of monitoring and
analysis is mainly performed by artificial intelligence techniques. They look at large volumes of
historical data, make assumptions regarding what is considered normal and then look for instances
where something abnormal happens, or if something normal fails to happen. This can be done on a
very large enterprise and carrier scale, or on a small LAN/computer scale. Due to the increase in
sophistication of attacks and malware, there is a corresponding increase in the demand for and
innovation in situational awareness intelligence gathering systems.
Due to the large and varied input these systems collect, there needs to be a powerful database system
underlying it, and a powerful graphical interface to visualize and display all the information to an
analyst. Humans are still better at looking for signs of malware than computers, even if they are slower
at it. Therefore any situational awareness system will be judged according to how easy and capable
the viewing and manipulation aspects of the analysis tool is, not just on what it can detect and record.
There are three basic steps that all network analyzers follow when using network analysis systems.
Look for patterns and anomalies, investigate and identify that information to see if it is an attack and if
it is an attack, to look to see how often it has occurred. This requires inspection of traffic, logging of
information, and analysis of that information. The inspection can look at the data being transmitted, the
traffic flows, the protocols used, historical information or any combination of them.

6.4. Test Network Security

So far we have discussed the protection and policing aspects of cyber network defense. These are based
on a current knowledge of attacks, attackers and defensive capabilities. However, the environment and
attack space evolves over time, so periodically you need to refresh your knowledge. Penetration testing
provides a good way of reassessing your defensive capabilities and thus what attacks you are vulnerable
against.

6.4.1. Black, Grey and White Hat Hackers

Within the cyber security community the terms hackers and hacking do not have a malicious
connotation to them, they describe an action or capability rather than an intention. Hacking is just the
manipulation of a system so that it performs an unanticipated or unspecified action. Performing the
unauthorized manipulation or destruction of a system is known as black hat hacking. Performing the
same action only when authorized (e.g. after being hired to test a system) is known as white hat
hacking. However, the majority of hackers are people who like solving puzzles and figuring out
problems. Therefore, sometimes they end up hacking systems without authorization just to see if they
can, therefore its unauthorized but non-malicious hacking, these are the grey hat hackers.
In reality the majority of hackers are grey hat hackers, with the exception of a few dedicated black
hat ones.

Ultra Electronics, 3eTI 2012

18

May 2012

An Introduction to Network Cyber Security

6.4.2. Penetration Testing

Penetration testing is the action of deliberately trying to attack and defeat the network protections you
have in place. It is a red team exercise against your system. It is normally performed by experienced
white or grey hat hackers, i.e. those who are very technical and adept at defeating cyber defenses.
They normally have a toolkit of exploits that they run your system against, searching for the weak link
in your armor.

6.4.3. Vulnerability Scanning

While penetration testing is very beneficial, it is not feasible or economical to perform it on a
continuous basis and therefore vulnerability scanners are used. If penetration testing is pretending to
be a burglar and trying to get access to your house, then vulnerability scanners are tools that go
around and test all the doors and windows to see if any of them are open. Vulnerability scanners are
deployed on most enterprise systems to ensure that any miss-configurations or vulnerabilities are
discovered as soon as possible. For instance should an employee plug a Wi-Fi dongle into their
computer so they can connect their laptop, then the vulnerability scanner should detect the presence
of that device and quickly notify the administrator.
Many of the tests that penetration testers run can then be rolled into the vulnerability scanning
software to ensure that your system isnt vulnerable to any known exploit.

6.5. The Exploit Wheel of Life

Not all vulnerabilities are known, in fact there are a great number of either unknown or undisclosed
vulnerabilities in existence. The reason why many vulnerabilities are undisclosed is that once they are,
they can be patched to stop them from being exploited and its worth diminishes. There is a large black
market in undisclosed vulnerabilities, so companies such as Google try to combat this by offering rewards
for any vulnerability found in their software that is disclosed to them.
Many top security researchers and hackers have their own private store of exploits they have discovered
or shared that they use as part of their penetration testing and research. The saying that it takes a thief to
catch a thief is very apt here! Some of these exploits could be simple such as a software bug, or more
sophisticated such as leaking part of an encryption key in the power consumption of a chip.

6.5.1. Virtual Task Forces and Information Exchanges

Most vulnerabilities do not exist in isolation, for example if a software coder made a mistake or used a
fault bit of code at one point in the software, then chances are they made the same mistake elsewhere
as well. Knowledge and understanding of the current wave of known but undisclosed vulnerabilities
helps security researchers predict where more attacks of the same family are likely to target. This is
especially true of government researchers. Due to their intelligence gathering arms such as US-CERT
and the UK CPNI (as well as NSA/GCHQ), governments will have a toolbox of undisclosed
vulnerabilities and situational awareness of attack vectors/families. Governments are in a unique
position to help provide industry with advanced knowledge of potential attacks and help develop
security patches and vulnerability scans to detect if they can be exploited. This distribution of known
and potential vulnerabilities is normally done via an information exchange program such as a virtual
task force.

Ultra Electronics, 3eTI 2012

19

May 2012

An Introduction to Network Cyber Security

6.5.2. Virtuous Cycle

Once an attack has been disclosed
disclosed, the software vendor affected can review their code, understand
the nature of the vulnerability and patch it so that it cant be exploited in the future. There is still a
period of time from when a patch
tch is created until the time that it is deployed in which a system is
vulnerable.. Not everyone downloads and installs security patches in a timely manner so security
researchers develop automated tools to take advantage of those exploits and fold them into
int pentesting and vulnerability scanning toolkits. Toolkits such as Metasploit automate many of these attacks,
and have easy to use interfaces effectively allowing exploitation with the push of a button.
button
The virtuous cycle of cyber security is:

Software is deployed with a vulnerability

The vulnerability is discovered
An exploit is developed to take advantage of that vulnerability
The vulnerability is disclosed (either by a researcher or through analysis of a successful attack)
A patch is developed and spora
sporadically deployed
An automated exploit is developed and rolled into pen
pen-test/vulnerability
/vulnerability scanning software

The earlier you know and understand the nature of the vulnerability
vulnerability, the
he sooner you can deploy a test
or attack. The same is true when looking at th
the
e evolving styles of attack; if you can see where
attackers are shifting their focus
focus, then you can shift your defenses and tests accordingly. This is why
many of the top cyber security companies employ teams of security researchers and pen-testers.
pen
Staying on top of new attacks allows them to develop better defenses.

Deployed

Patched

Knowledge of Attacks

Discovered

(Pen-Test)

Disclosed

Knowledge of Defense
(Vulnerability Scanners)

Exploited

Diagram 5

7.1. Growth Figures

Given that we have broken the network cyber security market into market segments
segments,, what
w
are their sizes
and growths? Similar to the whole cyber security mar
market, we can break the numbers obtained from Frost
and Sullivan, Forrester, Accenture and Pike Research reports into these market areas (Diagram X).
X) There

Ultra Electronics, 3eTI 2012

20

May 2012

An Introduction to Network Cyber Security

is a health notice with these numbers, that they are broad indications only, specific and reliable numbers
num
are not available. The same is true for the growth figures
figures;; this is especially the case as they were
compiled prior to Stuxnet, U.S. Cyber Command and the wide
wide-spread
spread acceptance of state sponsored
attacks.

Diagram 6
Currently the protect level is worth
rth the most due to the emphasis placed on encryption and certification.
Commerce cannot function without
ithout a reliable and addressable Internet
Internet. This is a necessity play more than
anything. Wide scale protection measures such as DNSSEC are still being rolled out, and authentication
measures are not yet widespread. This is being reflected in the large protection market-size
market
and once
these technologies are more widely adopted, their growth will diminish
diminish. Just as
s the benefits of IDS and
DPI systems become more appreciated,
ppreciated, the collection and intelligence markets will grow.
Currently there is a growing interest in the areas of defense and analysis.. There are many reasons from
reliability to national security and corporate espionage to understand better what is happening
ha
on a
network. Data is required for analysis and therefore the collection/interception market is growing in
lockstep. These two markets will grow as understanding and acceptance of their relevance and
capabilities is more widely understood. Just as governments have solicited the help of the general
populace to be vigilant for suspicious activity, network equipment (such as routers, switches etc) will be
required to also monitor the network and provide data on it in addition to its day
day-job.
job. We are still
s very
much in the early days of fully appreciating and leveraging all the benefits and uses of the collection and
analysis systems,, but what we can say is that there is a huge potential for growth in this field.
The collection elements are primarily ba
based
sed on hardware, and in the case of backbone monitoring,
monitoring highly
specialized too. This type of functionality is likely to be standard in the intermediate future as these
capabilities are added to products. The analysis and policing on the other hand is primarily
prim
driven by
software/mathematical models and algorithms. These can be implemented on the collection hardware for
product differentiation, delivered as a standalone product
product, or even as a service. Here the intelligence of
the system and its effectiveness will be the differentiator.
Finally, active testing/attack is equally divided between the pen test service, and the deployed
vulnerability scanning tools.. These two market segments feed into each other constantly. Therefore many
of the companies that provide
ide vulnerability scanning solutions also provide penetration testing services.
Uptake of active testing is slower in the enterprise markets compared with governments and militaries
which regularly deploy them.. This again is likely to change as this market segment is better understood
and appreciated.
As this market segment is the least understood, and still the province of IT specialists, there are many
sub-standard
standard solutions being offered. The differentiation in this area is provided through the practitioners
practiti
knowledge and skill rather than the tools they are using. Th
Thus is no guarantee that a large name cyber
company will have a better or reliable pen testing department than a small company of independent
security researchers. In
n fact it is often the re
reverse.

Ultra Electronics, 3eTI 2012

21

May 2012

An Introduction to Network Cyber Security

7. Markets
8.1. Protection
This market is primarily made up of hardware suppliers such as Ultra AEP and Thales e-Security who
provide certification systems and hardware security modules. There are also a large number of VPN
providers, both for corporate and low classification level systems, however there is not much
differentiation here, as most companies have the capability of providing IPSec/Suite B encrypted
tunneling. The real differentiation is in implementation, and that for the most part comes down to how they
protect their encryption & signing keys, are they factory-set, created on the device or via a hardware
security module.
There are currently no suppliers of high-grade secure routing equipment, instead the main routing
suppliers (Cisco, Juniper etc) provide only IL3 protection, possibly IL4. This is also from a historically low
customer demand for it. One of the main reasons for this involves routers, every router on the network
would need a high-grade crypto and, if the network is international as with the Internet, this may not be
allowed. In these cases technologies such as IPSec are used instead.
Device protection, such as network authentication systems are available from companies such as Yubico,
and RSA. There are no clear market leaders and many different companies specialize in different market
segments and customers. Inherently they all provide the same functionality secure retention and
provision of certificate style authentication.

8.2. Defense/Interception
This market is certainly one in which there is differentiation generally because there is a large
differentiation in the types of networks. There are many companies such as Astaro, Watchguard, Celestix
Networks and Palo Alto Networks who provide fixed IP LAN type IDS style collection devices and are
primarily enterprise level. Other companies such as Objective Development, Norton and Zone Alarm
provide home-level solutions.
Specific DPI solutions designed to protect against and look for instances of data leakage are provided by
companies such as Deep Secure and Nexor. However, these types of solutions are primarily used to look
at data going out (information loss), rather than data coming in (malware).
The term DPI refers to any system the inspects more than just the IP header of network traffic, however
does not differentiate in any other manner. When looking at a DPI solution there are a few variables to
look for, firstly is all traffic inspected or only sample captures, secondly does the system sit in-line to the
network traffic or does it use a copy, and thirdly how complex/comprehensive can the inspection rule-set
be and how easily can new rule-sets be created and deployed.
One of the main niches is in backbone carrier interceptors and traffic analyzers. Backbones carry a vast
amount of data and therefore scalable solutions able to handle the traffic sizes are required. Narus is one
such company that can provide multiple gigabit systems, specifically designed to sit on backbone
networks. Narus is a recognized leader in this sector, although there are other companies such as
CloudShield (provided by Portcullis) which can also operate at this level. Cisco also enables some of this
technology to be performed within their routers, by exploiting their API framework. Obviously to do any
type of collection/interception the equipment must be able to get at the routed data, and therefore need to
sit with the routers.
Voice is an interesting subset of the backbone/LAN interceptors. There is no fundamental reason why
voice should be any different to other IP networks as the vast majority of phone calls are now routed as

Ultra Electronics, 3eTI 2012

22

May 2012

An Introduction to Network Cyber Security

packets across Internet backbones at some point. However the amount of meta-data you can obtain and
the analysis you can perform is more specialized. Specific probes and interception devices are available
from companies such as SOTECH/Zu industries to do exactly this. The major telecoms companies such
as AT&T also provide this capability, to meet existing wire-tap laws.

8.3. Analysis and Situational Awareness

This is a relatively new market in which it is very difficult to determine all of the differentiated companies
and sectors. The main difficulty each solution has is in determining an anomaly, easily visualizing
complex sets of information and handling large volumes of data. Narus, through its partnership with
Teradata, have the capability to record and handle large volumes of data, known as big-data. However
st
there are other smaller companies such as 21 Century Technologies who can provide very sophisticated
visualization and analytical tools.
One of the main differentiators in this market is the ability to receive and interpret wide varieties of
different data streams. There is no standard protocol for collecting and distributing network data and
therefore analysis and visualization software must be compatible with a wide variety of devices, otherwise
they will have limited effectiveness. For obvious reasons, stove-piped solutions should and are avoided
here.
In the enterprise arena the two main providers of data analysis and traffic flow analysis are Mandiant and
HB Gary. These two companies offer similar type solutions for both looking at traffic patterns and data
packets for known signatures. If they are combined with storage systems then they have the capability to
perform Investigative analysis too.
One of the most popular products for use in Investigative analysis by forensic teams is NetWitness. Their
investigator tool is the industry standard for network investigations and has the capability to be deployed
for real-time analysis as well.
Finally one of the largest and most widely regarded companies in the analysis space is Palantir. Palantir
provides a very capable situational awareness and analysis product which allows investigators to search,
mine and fuse multiple disparate data-centers together. Palantir appears to be the analysts tool of choice
for any large scale (e.g. government) operations and analysis centre. As evidence of this, Palantir in the 7
years since it was founded in 2004, has grown into a company with a turnover of $250 million.

8.4. Active Test

There are a few big names which produce vulnerability scanners for use in the enterprise and home
markets; these include Nessus, Core Impact and Rapid7. Rapid7 is interesting because they use their
Metasploit pen test product to help make their NeXpose vulnerability scanner better. QualysGuard also
provide a software as a service vulnerability scanning tool which means that the bulk of their work, control
and processing happens in the cloud.

Ultra Electronics, 3eTI 2012

23

May 2012

An Introduction to Network Cyber Security

In the pen testing market you must separate between the pen test frameworks which provide the toolkits
pen testers use, and the pen testing companies themselves. One of the most popular pen test toolkits is
Metasploit by Rapid7, but Core Impact, ImmunitySec and w3af also produce popular ones.
As for actual pen test companies, there are a large number of them normally staffed with ex-hackers or
ex-government people. Due to the reliance on skilled personnel, it is difficult to differentiate companies.
However, the U.K. Centre for the Protection of the National Infrastructure recommend Portcullis as their
pen test company of choice.
In the U.K. there are two schemes (Tiger and CREST) which can be used to obtain an independent
assessment of penetration testing companies.

Ultra Electronics, 3eTI 2012

24

May 2012

An Introduction to Network Cyber Security

8. Growth Areas
Network cyber security is growing, both in terms of recognition and market size. There is recognition that
cryptography can be used for more than just encrypting data traffic, it can be used to provide integrity and
authentication to network operations. There is a large amount of innovation in the area of network policing
& intelligence, and there is an opportunity to provide niche solutions for different industries such as critical
infrastructure and military platforms (ships/aircraft etc). These systems are not enterprise/corporate style
architectures, and are not operated or relied upon in the same way. Therefore the solutions which work
for the enterprise will require modification before being used in critical infrastructure or military platforms
(safety being the primary reason).
Finally within the active test level, the two largest attributes required for a successful penetration company
is expertise and trust. Active testing constantly generates new protection ideas and methodologies, as
new vulnerabilities are discovered. This can be thought of as the research and technology development
part of network cyber security, only their activities will be paid for by pen-test customers.
In summary, within network cyber security I would recommend the following strategic directions:
1. Develop the use of cryptography beyond data protection
2. Develop critical infrastructure and/or military platform policing and analytic solutions
3. Enhance knowledge and awareness in the cyber security space through penetration testing

9. 3eTIs CyberFence Solutions

Part of the 3eTIs strategy remains focused on ensuring that their products and solutions provide
defensive capabilities, engaging a threat directly may not necessarily be the most effective way of
combating attacks. An effective solution ensures networks are invisible as well as building networks and
monitoring attacks. 3eTIs CyberFence solutions use their proprietary DarkNode technology that
cloaks the presence of sensitive systems, making systems impervious to hacking, pinging or other
compromise. Designed for voice, video and data, 3eTIs secure network solutions ensure compliance to
DoD information assurance and cyber security directives. Their solutions also offer flexible multi-role
integrated platforms that can be fitted with additional sensors, communications and weapon suites to
meet additional operational roles and capabilities to operate in vast environments and over multiple
frequencies simultaneously.
3eTI is part of the Ultra Electronics Group, an internationally successful defense, security, transport and
energy company with a long, consistent track record of development and growth. It is with this pedigree
that Ultra is able to offer products and services in both the defensive cyber component and the offensive
exploitation and penetration testing component. Ultra is committed to providing a broad range of
specialized security capabilities that are innovative and valued by our customers. Our differentiator is
deep technical innovation and agility combined with the ability to integrate and scale the unique solutions
they provide.
www.ultra-3eti.com

Ultra Electronics, 3eTI 2012

25

May 2012