CYBER SECURITY

Lecture 07 – Good Practices

 FIREWALLS
› However, while internet access provides benefits to the
organization; it enables the outside world to reach and
interact with local network assets. This creates the threat to
the organization.
› The firewall is inserted between the premise network and
internet to establish a controlled link and to erect an outer
security wall or perimeter. The aim of this perimeter is to
protect the premises network from internet-based attacks
and to provide a single choke point where security and audit
can be imposed.
› There are two commonly used organization firewall policies:
Deny everything and Allow everything
› All traffic from inside to outside, and vice versa, must pass
through the firewall. This is achieved by physically blocking all
access to the local network except via the firewall. Various
types of firewalls are used, which implement various types of
security policies.
› Four techniques that firewall use to control access and enforce
the site’s security policy is as follows:
› Service control – determines the type of internet services that
can be accessed, inbound or outbound. The firewall may filter
traffic on this basis of IP address and TCP port number
› Direction control – determines the direction in which particular
service request may be initiated and allowed to flow through the
firewall.
› User control – controls access to a service according to which
user is attempting to access.
› Behavior control – controls how particular services are used.
Limitations of firewall

› The firewall cannot protect against attacks that bypass the

firewall.
› The firewall does not protect against internal threats. The
firewall does not protect against internal threats, such as a
disgruntled employee or an employee who unwittingly
cooperates with an external attacker.
› The firewall cannot protect against the transfer of virus-
infected programs or files.
Virtual Private Networks (VPNs)
› A virtual private network, or VPN, is an encrypted
connection over the Internet from a device to a network.
The encrypted connection helps ensure that sensitive data
is safely transmitted. It prevents unauthorized people from
eavesdropping on the traffic and allows the user to conduct
work remotely.
› Remote access: A remote access VPN securely connects
a device outside the corporate office.
› Site-to-site: A site-to-site VPN connects the corporate
office to branch offices over the Internet.
 Proxy Servers
› A proxy server acts as a gateway between you and the internet.
It’s an intermediary server separating end users from the
websites they browse.
› Proxy servers provide varying levels of functionality, security,
and privacy depending on your use case, needs, or company
policy.
› Proxy servers act as a firewall and web filter, provide shared
network connections, and cache data to speed up common
requests.
› When the proxy server forwards your web requests, it can
make changes to the data you send and still get you the
information that you expect to see. A proxy server can change
your IP address, so the web server doesn’t know exactly where
you are in the world.
 ADVANTAGES OF PROXIES
› To control internet usage of employees and children:
Organizations and parents set up proxy servers to control and
monitor how their employees or kids use the internet. They can
also monitor and log all web requests.
› Bandwidth savings and improved speeds: Organizations
can also get better overall network performance with a good
proxy server. Proxy servers can cache.
› Privacy benefits: Individuals and organizations alike use proxy
servers to browse the internet more privately. Some proxy
servers will change the IP address and other identifying
information the web request contains.
› Improved security: Proxy servers provide security benefits on
top of the privacy benefits. You can configure your proxy server
to encrypt your web requests to keep prying eyes from reading
your transactions. Additionally, organizations can couple their
proxy server with a Virtual Private Network (VPN), so remote
users always access the internet through the company proxy.
 Access Control
› Following successful logon, the user has been granted
access to one or set of hosts and applications. This is
generally not sufficient for a system that includes sensitive
data in its database. Through the user access control
procedure, a user can be identified to the system.
› The database management system, however, must control
access to specific records or even portions of records. The
operating system may grant a user permission to access a
file or use an application, following which there are no
further security checks, the database management system
must make a decision on each individual access attempt.
› The basic elements of the model are as follows: Subject,
Object and Access right:
 Intrusion Detection
› Intrusion detection (ID) is a new technology that detects
the characteristic signatures of software used in cyber-
attacks. The detection software uses the signatures to
determine the nature of the attacks.
› Intrusion detection operates on network traffic entering or
already within the network. Designers of ID tools believe
that anomalies in the traffic will lead to distinguishing
between intruders and legitimate users of the network.
› Signatures of known attacks usually involve one of three
common types: Strings, Ports, Packet headers.
› We distinguish two main classes of IDS: Host-Based IDS
and N-Based IDS
Host-Based Intrusion Detection Systems
› Host-based intrusion detection systems (HIDS) techniques
focus on the network server to monitor specific user and
application traffic handled by that server.
› It is actually tracking log files and auditing traffic in and out
of this one machine.
› Besides tracking in and out traffic, HIDS also check on the
integrity of system files and watch the activities of all
processes on the machine for abnormal process behavior.
 Advantages/Disadvantages of HIDS
› The ability to verify success or failure of an attack quickly.
Because they log continuing events that have actually occurred,
HIDS have information that is more accurate and less prone to
false positives
› Low-level monitoring. Because HIDS monitor at a local host, they
are able to “see” low- level local activities such as file accesses,
changes to file permissions, attempts to install new executables,
attempts to access privileged services, changes to key system
files and executables
› Cost effectiveness. Because no additional hardware is needed to
install HIDS, there may be great savings for the organization.
› HIDS have a myopic viewpoint. Since they are deployed at a host,
they have a very limited view of the network.
› Since HIDS are close to users, they are more susceptible to illegal
tampering.
Network-Based Intrusion Detection
Systems
› NIDS are network sensors configured to monitor all
network traffic including traffic on the communication media
and on all network servers and firewalls.
› They monitor the traffic on the network to detect intrusions.
They are responsible for detecting anomalous,
inappropriate, or other data that may be considered
unauthorized and harmful occurring on a network.
› While NIDS also captures and inspects every packet that is
destined for the network regardless of whether it’s
permitted or not, it is a silent listener, acting only by
generating an alert if the packet signature, based on the
contents of the packet, is not among the acceptable
signatures.
 Disadvantages/Advantages of NIDS
› The ability to detect attacks that a host- based system would
miss because NIDS monitor network traffic at a Transport
Layer.
› A difficulty removing evidence. Because NIDS are on
dedicated machines that are routinely protected, it is more
difficult for an attacker to remove evidence than it is with
HIDS, which are near or at the attacker’s desk.
› Blind spots: Deployed at the borders of an organization’s
network, NIDS are blind to the whole inside network.
› Encrypted data: One of the major weaknesses of NIDS is on
encrypted data. They have no capabilities to decrypt
encrypted data. They can only scan unencrypted parts of the
packets such as headers.
 Forensics

› Forensics refers to finding and extracting forensic artifacts

from a computer’s physical memory.
› While a system is on, random access memory (RAM) contains
critical information about the current state of the system. By
capturing an entire copy of RAM and analyzing it on a
separate computer, it is possible to reconstruct the state of the
original system, including the applications the user was
running and the files or network connections that existed at
the time.
› This generally involves but not limited to the following
analysis: Finding Hidden Processes, Memory/CPU usage,
Bandwidth consumption etc.
 Others
› Encryption/Decryption (Cryptography): The concept of hiding messages
is as old as humanity itself. A method of hiding or disguising messages is
called a cryptosystem. A cryptosystem is a collection of algorithms.
Messages are disguised using these algorithms. Each algorithm has a key
used to decrypt the message encrypted using that algorithm.
› Malware Detection: A virus detection program, commonly called an
antivirus program, is a software program that monitors or examines a
system, including its data and program files, for the presence of viruses.
There are a number of techniques used by antivirus programs to detect a
virus in whatever stage it is in. Such techniques include detecting virus
signatures, file length, checksum, and symptoms.
› Mass Moral and Ethics Education: Perhaps one of the most viable tools
to prevent and curb illegal cyberspace activities, we believe, is mass moral
and ethics education. This strong belief we have about the value of
teaching moral and ethics to all computer users explains and justifies our
inclusion.
› Frequent auditing, checks and scans: Another good and common
practice usually involves doing frequent checks and scans on the different
network nodes or systems for any abnormally or unusual activities to the
system. This could be done at a frequency decided by the network
administrator. Some activities may require more frequent check, while
others may be performed less frequently