Cyber

Security
Dr. Uddipana
Dowerah
 ABAC Algorithm Steps
Input: User request R, ABAC Policy P abac , User attributes U , Resource attributes Res.
Output: Access granted or denied.
1Step 1: Extract attributes: {U.role, U.dept, U.security level, . . .} and {Res.type, Res.sensitivity
level, . . .}.
2Step 2: Match user attributes against policy:

If (U.dept = Pabac.dept) ∧ (U.security level ≥ Res.sensitivity level) ⇒ Grant Access

3Step 3: Evaluate any additional conditions defined in P abac :

If ∀i (U.attributei = Pabac.attribute i) ⇒ Grant Access

Step 4: Log access request and decision.

Step 5: If denied, notify security monitoring system.
Scenario Setup
• User Request (R): Bob attempts to access a confidential file.
• User Attributes (U):
➢ Name: Bob
➢ Role: Manager
➢ Department: IT
➢ Security Level: 6
• Resource Attributes (Res):
➢ Resource Name: confidential file.txt
➢ Resource Type: File
➢ Sensitivity Level: 5
➢ Location: Internal Server
• ABAC Policy (𝑷𝒂𝒃𝒂𝒄):
➢ Required Department: IT
➢ Minimum Security Level: 5
➢ Additional Condition: User role must be Manager or above
Malware: Detection and Prevention Algorithms

Detection Algorithms Prevention Algorithms

• Signature-Based Detection
• Heuristic-Based Detection
• Behavioral-Based Detection
• Anomaly-Based Detection
• Sandboxing
• Static Code Analysis
• Signature-Based Prevention
• Behavioral Prevention
• Network-Based Prevention
• Patch Management
• Access Control
• Network Segmentation
• Least Privilege Principle
Network Segmentation
Network Segmentation
• Network segmentation involves partitioning a network into smaller networks
called subnets, to improve security and performance

• Prevent unauthorized users from accessing sensitive data. It also helps limit
the spread of malware

• Involves partitioning a physical network into different logical sub-networks.

• Once the network has been subdivided into smaller more manageable units,
controls are applied to the individual, compartmentalized segments
Network Segmentation: Benefits
• Network segmentation provides unique security services per network segment,
delivering more control over network traffic and optimizing network performance.

• It provides better security by splitting a large network into smaller subnets thereby
reducing the attack surface. Thus, if the network perimeter is breached, network
segments prevent attackers from moving laterally throughout the network.

• Segmentation provides a logical way to isolate an active attack before it spreads

across the network. For example, segmentation ensures malware in one segment
does not affect systems in another.

• Reduces network congestion which improves network performance by removing

unnecessary traffic in a particular segment.
Network Segmentation Technologies
Network Segmentation Technologies
1. Virtual Local Area Networks (VLAN)

• VLANs split networks into smaller segments in

which all devices are virtually connected to
each other as if they were in the same LAN.

• Separates traffic based on logical groupings,

rather than physical location.

• With VLANs, network administrators can

segment the network by department,
function, or project, without adding any
physical hardware.
Network Segmentation Technologies
2. Firewalls

• Can be used to create a barrier between

different segments of the network, allowing
traffic to flow only to authorized destinations.

• Separating finance applications from human

resources applications is a widespread
example of firewall segmentation.

• Firewalls can be hardware-based or software-

based, and they can be deployed at various
points in the network, from the perimeter to
the endpoint.
Network Segmentation Technologies
3. Network Access Control (NAC)

• Refers to using NAC technology to create distinct network segments by

controlling which devices can access specific parts of the network

• NAC ensures that only users who are authenticated and devices that are
authorized and compliant with security policies can enter the network.

• NAC can be used to segment the network based on user identity, device
type, or other criteria.

• Can be implemented through Access Control Lists (ACLs)

Network Segmentation Technologies
4. Software-Defined Networking (SDN)

• Refers to the practice of dividing a network into smaller, isolated segments

using software-based controls

• Allows for more granular management of network traffic and security

policies, typically through a centralized controller, rather than relying solely
on traditional hardware-based methods like VLANs

• Enables flexible and dynamic network segmentation through software,

improving security and operational efficiency by isolating different parts of
the network based on application, user, or security needs.
Least Privilege Principle
• The principle of least privilege, also called "least privilege access," is the
concept that a user should only have access to what they absolutely need
in order to perform their responsibilities, and no more.
Least Privilege Principle
• The principle of least privilege, also called "least privilege access," is the
concept that a user should only have access to what they absolutely need
in order to perform their responsibilities, and no more.

• The more a given user has access to, the greater the negative impact if
their account is compromised or if they become an insider threat.

• Organizations that follow the principle of least privilege can improve their
security posture by significantly reducing their attack surface and risk of
malware spread.
Least Privilege Principle: Benefits
• Minimizes the attack surface, diminishing avenues a malicious actor can use to
access sensitive data or carry out an attack by protecting superuser and
administrator privileges.

• Reduces malware propagation by not allowing users to install unauthorized

applications. The principle of least privilege also stops lateral network movement
that can launch an attack against other connected devices by limiting malware to
the entry point.

• Improves operational performance with reductions in system downtime that

might otherwise occur as a result of a breach, malware spread or incompatibility
issues between applications.

• Safeguards against human error that can happen through mistake, malice or
negligence.
Malware: Detection and Prevention Algorithms

Detection Algorithms Prevention Algorithms

• Signature-Based Detection
• Heuristic-Based Detection
• Behavioral-Based Detection
• Anomaly-Based Detection
• Sandboxing
• Static Code Analysis
• Signature-Based Prevention
• Behavioral Prevention
• Network-Based Prevention
• Patch Management
• Access Control
• Network Segmentation
• Least Privilege Principle
Firewalls
Firewall Policies
Firewall Policies: Approaches
Firewall Characteristics
Firewall Capabilities and Limitations
Firewall Capabilities and Limitations
Firewall Capabilities and Limitations
Inability to detect all types of attacks
• Firewalls defend against specific attacks, such as packet filtering, port
scanning, and DoS (Denial of Service). However, they might be unable to
identify more complex attacks like social engineering attacks, and zero-day
vulnerabilities.

Inability to protect against internal threats

• Firewalls can stop external threats but not internal attacks. An authorized
employee may inadvertently or purposefully breach network security.

Limited protection against malware

• By applying signature-based detection techniques, firewalls may stop
known malware from accessing the network. However, they might not be
able to recognize unknown malware that has yet to develop a signature.
Types of Firewall

• Packet Filtering Firewall

• Stateful Inspection Firewall
• Application-Level Gateway
• Circuit-Level Gateway
 Packet Filtering Firewall
• Applies a set of rules to each incoming and outgoing IP packet and then
forwards or discards the packet

• Packet filters usually permit or deny network traffic based on:

➢ Source and destination IP addresses
➢ Protocol: session and application protocols that are used to transfer data
(TCP, UDP, or ICMP)
➢ Source and destination ports and ICMP types and codes
➢ Flags in the TCP header, such as whether the packet is a connect request
➢ Direction (inbound or outbound)
➢ Which physical interface the packet is traversing

• Two default policies:

➢ Default-deny
➢ Default-allow
 Packet Filtering Firewall
• It examines access control lists (ACLs) to separate packets based on upper-
layer protocol ID, source and destination port numbers, source and
destination IP addresses, and packet transmission route.

• The firewall looks for information in the IP, TCP, or UDP headers and then
decides whether to allow or block the packet based on the ACL.

• The packets' passing is totally dependent on the packet filtering firewall's

choice. it filters packets based on the security rules configured into the
firewall.
Packet Filtering Firewall
Packet Filtering Firewall

Example 1
Suppose we want to allow inbound mail (SMTP, port 25) but only
to our gateway machine. Also suppose that mail from some
particular site SPIGOT is to be blocked
Packet Filtering Firewall

Example 2
This packet filtering rule allows any host inside the network
(internal) to send email (SMTP) to an external SMTP server.

There is a problem with this rule!

Packet Filtering Firewall
• Port 25 is just a default for SMTP. While it's commonly used for email, any
machine (especially an attacker’s) can configure port 25 for a different
service (e.g., malware communication).

• The firewall rule does not differentiate between legitimate SMTP traffic and
potential misuse.

• An attacker can manipulate the source port.

• The rule assumes that only outgoing connections to port 25 matter.
• But an external attacker can craft a malicious packet where the TCP
source port is 25 and send it into the network.
• Since the rule allows TCP packets with port 25, the firewall might
mistakenly allow the malicious packet in.
Packet Filtering Firewall

Outgoing SMTP Traffic (Internal to External) is Allowed

• If the source IP address is from a designated internal host and the destination TCP
port is 25, allow it.
• This ensures that only specific internal hosts can send emails externally.

Incoming SMTP Responses (External to Internal) are Controlled

• If a packet is coming from an external server, it must have:
• A source port of 25 (indicating it’s coming from an SMTP server).
• The ACK flag set (proving that it is a response to an already established
outgoing connection).
Packet Filtering Firewall: Advantages

• The main advantage of packet-filtering firewalls is their

simplicity and ease of implementation.

• Packet-filtering firewalls are also very efficient and impose very

little overhead.

• Finally, the rules for packet-filtering firewalls can be very

general, since they don't have to take higher-level applications
into account.
Packet Filtering Firewall: Weaknesses

• Since packet-filtering firewalls do not examine upper-layer

application data, they cannot prevent attacks that exploit
application-specific vulnerabilities.

• Since packet-filtering firewalls make decisions on a per-packet

basis, they can't defend against attacks that span multiple
packets.

• Finally, our SMTP example shows that packet-filtering rules

tend to have a small number of conditions, which may be too
permissive. An attacker might craft traffic that exploits these
misconfigurations.