Module 2: Securing Networks

2.1 Current State of Affairs

2.1.2 Networks Are Targets
Networks are routinely under attack. It is common to read in the news about
yet another network that has been compromised. A quick internet search for
network attacks will return many articles about network attacks, including
news about organizations which have been compromised, the latest threats
to network security, tools to mitigate attacks, and more.
To help you comprehend the gravity of the situation, Kapersky maintains the
interactive Cyberthreat Real-Time Map display of current network attacks.
The attack data is submitted from Kapersky network security products that
are deployed worldwide. The figure displays a sample screenshot of this web
tool, which shows these attacks in real time. Many similar tools are available
on the internet and can be found by searching for cyberthreat maps.

2.1.3 Reasons for Network Security

Network security relates directly to an organization's business continuity.
Network security breaches can disrupt e-commerce, cause the loss of
business data, threaten people’s privacy, and compromise the integrity of
information. These breaches can result in lost revenue for corporations, theft
of intellectual property, lawsuits, and can even threaten public safety.
Maintaining a secure network ensures the safety of network users and
protects commercial interests. Keeping a network secure requires vigilance
on the part of an organization’s network security professionals. They must
constantly be aware of new and evolving threats and attacks to networks,
and vulnerabilities of devices and applications.
Many tools are available to help network administrators adapt, develop, and
implement threat mitigation techniques. For instance, the Cisco Talos
Intelligence Group website, shown in the figure, provides comprehensive
security and threat intelligence to defend customers and protect their
assets.

Another group, called the Cisco Product Security Incident Response Team
(PSIRT), is responsible for investigating and mitigating potential
vulnerabilities in Cisco products. The figure displays a sample Cisco Security
Advisories page which lists these vulnerabilities in real time and provides
network administrators with information to help mitigate them.
2.1.4 Vectors of Network Attacks
An attack vector is a path by which a threat actor can gain access to a
server, host, or network. Attack vectors originate from inside or outside the
corporate network, as shown in the figure. For example, threat actors may
target a network through the internet, to disrupt network operations and
create a denial of service (DoS) attack.
External and Internal Threats
Note: A DoS attack occurs when a network device or application is
incapacitated and no longer capable of supporting requests from legitimate
users.
An internal user, such as an employee, can accidentally or intentionally:
Steal and copy confidential data to removable media, email, messaging
software, and other media.
Compromise internal servers or network infrastructure devices.
Disconnect a critical network connection and cause a network outage.
Connect an infected USB drive into a corporate computer system.
Internal threats have the potential to cause greater damage than external
threats because internal users have direct access to the building and its
infrastructure devices. Employees may also have knowledge of the
corporate network, its resources, and its confidential data.
Network security professionals must implement tools and apply techniques
for mitigating both external and internal threats.
2.1.5 Data Loss
Data is likely to be an organization’s most valuable asset. Organizational
data can include research and development data, sales data, financial data,
human resource and legal data, employee data, contractor data, and
customer data.
Data loss, or data exfiltration, is when data is intentionally or unintentionally
lost, stolen, or leaked to the outside world. The data loss can result in:
 Brand damage and loss of reputation
 Loss of competitive advantage
 Loss of customers
 Loss of revenue
 Litigation/legal action that results in fines and civil penalties
 Significant cost and effort to notify affected parties and recover from
the breach
Network security professionals must protect the organization’s data. Various
Data Loss Prevention (DLP) controls must be implemented that combine
strategic, operational, and tactical measures.
Common data loss vectors are displayed below.
Select the headings to find out more.
Email/Social Networking
The most common vector for data loss includes instant messaging software
and social media sites. For instance, intercepted email or IM messages could
be captured and reveal confidential information.
Unencrypted Devices
A stolen corporate laptop typically contains confidential organizational data.
If the data is not stored using an encryption algorithm, then the thief can
retrieve valuable confidential data.
Cloud Storage Devices
Saving data to the cloud has many potential benefits. However, sensitive
data can be lost if access to the cloud is compromised due to weak security
settings.
Removable Media
One risk is that an employee could perform an unauthorized transfer of data
to a USB drive. Another risk is that a USB drive containing valuable
corporate data could be lost.
Hard Copy
Corporate data should be disposed of thoroughly. For example, confidential
data should be shredded when no longer required. Otherwise, a thief could
retrieve discarded reports and gain valuable information.
Improper Access Control
Passwords are the first line of defense. Stolen passwords or weak passwords
which have been compromised can provide an attacker easy access to
corporate data.
Packet Tracer - Investigate a Threat Landscape
Objectives
Part 1: Investigate a Network Configuration Vulnerability
Part 2: Investigate a Phishing Malware Vulnerability
Part 3: Investigate a Wireless Network and DNS Vulnerability
Background / Scenario
The threat landscape consists of all the vulnerabilities that can be exploited
by threat actors. Every cybersecurity incident involves the exploitation of
vulnerabilities by different types of threat actors. Some threat actors want
money, others want to be famous, and yet others want to destroy
information and infrastructure.
In this activity, you will investigate three vulnerabilities that can be
exploited by threat actors.
Note: In this activity, both the Data Center and ISP/Telco sites are locked.
Instructions
Part 1: Investigate a Network Configuration Vulnerability
Sometimes network security vulnerabilities can happen by accident. For
example, forgetting to update server or host software may expose known
vulnerabilities that could easily be mitigated with a simple update. Similarly,
vulnerabilities may be introduced when a network device is not configured
properly, or a device is defective. In this part, you will explore a vulnerability
that results from a device that is not properly configured with security best
practices.
Step 1: Use a guest network to gain access to other devices on the
network.
a. In Greenville, locate Smartphone 3 just outside of
the Home location.
Mary is the owner of this smartphone. She is a friend of Bob who lives in the
house.Mary is studying to eventually get a job in cybersecurity defense and
is familiar with network penetration testing. She noticed that a guest
wireless network is open and accessible by anyone. She connected to the
guest network and used Nmap to run a scan, which can identify and
discover details about all the active devices. One of the devices appears to
be a webcam. Its IP address is 192.168.100.101.
b. Click Smartphone 3, and then click Command Prompt. Enter the
command ping 192.168.100.101. After one or two #Request timed
out# messages, the remaining pings should be successful.
Mary informs Bob that the network is very vulnerable to attack. Someone
could take control of the webcam, for example, and watch video from inside
the house. Bob invites Mary to come in, investigate the issue, and propose a
solution.
Step 2: Explore the Home network to identify the vulnerability.
a. Click Home. Knowing that home routers typically control home
wireless networks, Mary heads straight for the home office and sits
behind the desk. She will use the Home Office PC to connect to the
router. But first she needs to determine the IP address.
b. Click Home Office PC > Desktop tab > Command Prompt, and
then enter the command ipconfig.
The default gateway is the IP address for the Home Wireless Router.
What is the IP address?
Answer Area
Show Answer
c. Next, Mary uses the Web Browser to connect to the Home
Wireless Router. Close the Command Prompt and click Web
Browser. Enter the default gateway IP address.
d. Bob does not have the documentation for the router nor does he
know the login credentials. Mary looks up the router model on the
internet and discovers that the default credentials use admin for both
the username and password. Login to Home Wireless Router.
e. Click Wireless. Review the Basic Wireless Settings for each of the
three radios that are part of the wireless router.
Which of the radios are active?
Answer Area
Show Answer
What are the SSIDs that are assigned to these radios?
Answer Area
Show Answer
f. Click the Wireless Security submenu.
Is security activated for each of the radios? Are passphrases set?
Answer Area
Show Answer
g. Mary was able to access the network from outside without logging in;
therefore, she investigates further. Click the Guest
Network submenu and investigate the settings.
Is the Guest network active? If so, on which radio?
Answer Area
Show Answer
A wireless Guest network should only provide access to the internet for
guests. It should not permit guests to access the devices on local network
inside the house. In this case, guests can access the local network. This
indicates that the home router is misconfigured.
What would you propose Bob do to secure this network?
Answer Area
Show Answer
Part 2: Investigate a Phishing Malware Vulnerability
Phishing is a type of social engineering attack where a threat actor disguises
themself as being a legitimate, trusted source in order to trick you into
installing malware on your device, or share personal or financial information.
Phishing attacks typically come through emails or phone calls. Unlike other
network vulnerabilities, the primary vulnerability in phishing attacks is the
users of the network. For this reason, an important defense against phishing
is training users on how to prevent phishing exploits.
In this part, you will simulate and investigate a phishing attack.
Note: This activity is for demonstration purposes only. Writing and sending
phishing email messages is unethical and is considered a criminal attack in
most jurisdictions.
Step 1: Pose as a threat actor and create a phishing email.
a. Navigate to the Cafe network
b. Click the Cafe Hacker Laptop > Desktop tab > Email.
c. Click Compose.
Use your imagination to write a phishing email. Your objective is to persuade
the user to copy and paste a URL from your email message into their
browser. Include the link pix.example.com in the email. You can look for
example phishing emails online to see how threat actors write this type of
email.
Note: Links in phishing emails are typically active or #hot# links. All the
victim has to do is click it. However, Packet Tracer does not support the use
of active links inside the email client.
d. Send your email to three people inside the Branch Office network.
Their email addresses are as follows:
 [email protected]
 [email protected]
 [email protected]
Step 2: Open the emails received from the threat actor.
 a. Navigate to the Branch Office.
b. Click one of the devices, either PC-BR1, Laptop BR-1, or Laptop
BR-2.
c. Click Desktop tab > Email, and then click Receive. You should
receive the email that you just sent.
Note: Packet Tracer may take up to a minute to converge. You may need to
click Receive several times if the email is not successfully retrieved.
d. Optional: Go to the other victim devices, open their Email client, and
click Receive to verify that they also received your phishing email.
Step 3: Pose as a victim and follow the phishing instructions.
a. Read the email and copy the website address.
b. Close the Mail Browser window, and then click Web Browser.
c. Paste the URL into the URL field, and then Go.
Note: Packet Tracer may take up to a minute to converge. You can
click Fast Forward Time (Alt+D) to speed up the process.
What happened when the webpage loaded?
Answer Area
Show Answer
What is this type of attack called?
Answer Area
Show Answer
In a real world situation, this email is typically spread by a virus that
automatically sends malicious emails to all the addresses in your contact
list.
Describe the damage this type of attack can cause within an organization?
Answer Area
Show Answer
Employees should be trained how to identify phishing emails and the actions
that should be taken to prevent damage from them. In addition,
organizations can configure firewalls, intrusion prevention systems, and
other security devices and software, to block phishing emails before
entering the network. Some businesses subscribe to services that compile
and maintain lists of malicious websites. The security devices in the
organization can then uses these lists to automatically update filters for
blocking malicious traffic.
Part 3: Investigate a Wireless Network and DNS Vulnerability
Your average network user tends to trust open Wi-Fi networks out in public
places. Using Wi-Fi instead cellular data services can provide faster data
rates and be more cost effective. However, threat actors can configure a
laptop with a Wi-Fi interface that can act as both a Wi-Fi access point and a
Wi-Fi client. This means that threat actors can create their own wireless
networks and broadcast a convincing SSID to potential victims in public
places. Threat actors use these rogue access points to create main-in-the-
middle attacks. In this attack, threat actors can capture and read all the
wireless traffic from devices that associate with the rogue access point,
potentially learning usernames, passwords, and other confidential
information.
In this part, you will investigate how a rogue access point can be used to
entice users to connect to a fake wireless network. When combined with
network services such as DHCP and DNS, users can become victims of
malicious website attacks through DNS hijacking.
Step 1: Connect to the threat actor’s wireless network.
a. Navigate to the Cafe. Notice the threat actor sitting in the corner.
b. Click the Hacker Backpack and investigate the contents. In his
backpack, he has a wireless router and a network sniffer. His goal is to
intercept user traffic and direct it to a malicious server.
c. Return to the Cafe and click the Cafe Customer laptop
> Desktop tab > PC Wireless application.
d. Click the Connect tab. You may need to click Refresh to see the list
of available wireless networks.
If you were in the Cafe, which wireless network would you chose to connect
to? Explain.
Answer Area
Show Answer
e. Click any of the Cafe_WI-FI_FAST network names and then
click Connect.
Step 2: Visit your favorite social media site.
a. Close the PC Wireless application and click Web Browser.
b. In the URL field, enter friends.example.com, and then click Go. This
website is a supposed to be a legitimate social network in this
simulation.
What happened?
Answer Area
Show Answer
What was the URL for the malware server that was used in the phishing
attack scenario? Is it the same?
Answer Area
Show Answer
Step 3: Investigate the source of the attack.
a. Close the Web Browser and click IP Configuration.
b. In the Cafe, click VPN Laptop > Desktop tab > IP Configuration.
c. Click Cafe Customer from your task bar to bring it back into view
and then arrange the two IP Configuration windows side by side.
Compare the values between the two devices.
What are the differences between the addresses of the two laptops?
Answer Area
Show Answer
d. Investigate the Cafe Hacker Laptop.
What is its IP address? Why is this significant?
Answer Area
Show Answer
On the Café Hacker Laptop, click the Services tab > DNS.
e. Locate the Name for the friends.example.com website. Note that
the IP address is the same IP address as is associated
with pix.example.com from the phishing attack earlier.
f. Under Services, click DHCP. Notice that the DNS server address
distributed to the hosts over DHCP is the same one assigned to Café
Customer.
What are the steps in this attack?
Answer Area
Show Answer
Summary
In this activity, we have looked at three different ways in which
vulnerabilities can lead to exploits. As an informed network user or
cybersecurity professional, it is your responsibility to think about the
different ways in which such vulnerabilities can be detected and mitigated
before a cyber attack occurs.End of document

2.2 Who is Attacking Our Network?

2.2.1 Threat, Vulnerability, and Risk
We are under attack and attackers want access to our assets. Assets are
anything of value to an organization, such as data and other intellectual
property, servers, computers, smart phones, tablets, and more.
To better understand any discussion of network security, it is important to
know the following terms:
Threat
A potential danger to an asset such as data or the network itself.
Vulnerability
A weakness in a system or its design that could be exploited by a threat.
Attack Surface
An attack surface is the total sum of the vulnerabilities in a given system
that are accessible to an attacker. The attack surface describes different
points where an attacker could get into a system, and where they could get
data out of the system. For example, your operating system and web
browser could both need security patches. They are each vulnerable to
attacks and are exposed on the network or the internet. Together, they
create an attack surface that the threat actor can exploit.
Exploit
The mechanism that is used to leverage a vulnerability to compromise an
asset. Exploits may be remote or local. A remote exploit is one that works
over the network without any prior access to the target system. The
attacker does not need an account in the end system to exploit the
vulnerability. In a local exploit, the threat actor has some type of user or
administrative access to the end system. A local exploit does not necessarily
mean that the attacker has physical access to the end system.
Risk
The likelihood that a particular threat will exploit a particular vulnerability of
an asset and result in an undesirable consequence.
Risk management is the process that balances the operational costs of
providing protective measures with the gains achieved by protecting the
asset. There are four common ways to manage risk, as shown below:
Risk acceptance
This is when the cost of risk management options outweighs the cost of the
risk itself. The risk is accepted, and no action is taken.
Risk avoidance
This means avoiding any exposure to the risk by eliminating the activity or
device that presents the risk. By eliminating an activity to avoid risk, any
benefits that are possible from the activity are also lost.
Risk reduction
This reduces exposure to risk or reducing the impact of risk by taking action
to decrease the risk. It is the most commonly used risk mitigation strategy.
This strategy requires careful evaluation of the costs of loss, the mitigation
strategy, and the benefits gained from the operation or activity that is at
risk.
Risk transfer
Some or all of the risk is transferred to a willing third party such as an
insurance company.
Other commonly used network security terms include:
Countermeasure - The actions that are taken to protect assets by mitigating
a threat or reducing risk.
Impact - The potential damage to the organization that is caused by the
threat.
Note: A local exploit requires inside network access such as a user with an
account on the network. A remote exploit does not require an account on
the network to exploit that network’s vulnerability.

2.2.2 Hacker vs Threat Actor

As we know, “hacker” is a common term used to describe a threat actor.
However, the term “hacker” has a variety of meanings, as follows:
 A clever programmer capable of developing new programs and
coding changes to existing programs to make them more efficient.
 A network professional that uses sophisticated programming skills to
ensure that networks are not vulnerable to attack.
 A person who tries to gain unauthorized access to devices on the
internet.
 An individual who run programs to prevent or slow network access to
a large number of users, or corrupt or wipe out data on servers.
An attack vector is a path by which a threat actor can gain access to a
server, host, or network. Attack vectors originate from inside or outside the
corporate network, as shown in the figure. For example, threat actors may
target a network through the internet, to disrupt network operations and
create a denial of service (DoS) attack.
External and Internal Threats
As shown in the figure, the terms white hat hacker, black hat hacker, and
grey hat hacker are often used to describe hackers.
 White hat hackers are ethical hackers who use their programming
skills for good, ethical, and legal purposes. They may perform
network penetration tests in an attempt to compromise networks and
systems by using their knowledge of computer security systems to
discover network vulnerabilities. Security vulnerabilities are reported
to developers and security personnel who attempt to fix the
vulnerability before it can be exploited. Some organizations award
prizes or bounties to white hat hackers when they provide information
that helps to identify vulnerabilities.
 Grey hat hackers are individuals who commit crimes and do arguably
unethical things, but not for personal gain or to cause damage. An
 example would be someone who compromises a network without
permission and then discloses the vulnerability publicly. Grey hat
hackers may disclose a vulnerability to the affected organization after
having compromised their network. This allows the organization to fix
the problem.
 Black hat hackers are unethical criminals who violate computer and
network security for personal gain, or for malicious reasons, such as
attacking networks. Black hat hackers exploit vulnerabilities to
compromise computer and network systems.
Good or bad, hacking is an important aspect of network security. In this
course, the term threat actor is used when referring to those individuals or
groups that could be classified as gray or black hat hackers.

2.2.3 Evolution of Threat Actors

Hacking started in the 1960s with phone freaking, or phreaking, which refers
to using various audio frequencies to manipulate phone systems. At that
time, telephone switches used various tones, or tone dialing, to indicate
different functions. Early threat actors realized that by mimicking a tone
using a whistle, they could exploit the phone switches to make free long-
distance calls.
In the mid-1980s, computer dial-up modems were used to connect
computers to networks. Threat actors wrote “war dialing” programs which
dialed each telephone number in a given area in search of computers,
bulletin board systems, and fax machines. When a phone number was
found, password-cracking programs were used to gain access. Since then,
general threat actor profiles and motives have changed quite a bit.
There are many different types of threat actors.
Script kiddies
Script kiddies emerged in the 1990s and refers to teenagers or
inexperienced threat actors running existing scripts, tools, and exploits, to
cause harm, but typically not for profit.
Vulnerability brokers
Vulnerability brokers typically refers to grey hat hackers who attempt to
discover exploits and report them to vendors, sometimes for prizes or
rewards.
Hacktivists
Hacktivists is a term that refers to grey hat hackers who rally and protest
against different political and social ideas. Hacktivists publicly protest
against organizations or governments by posting articles, videos, leaking
sensitive information, and performing distributed denial of service (DDoS)
attacks.

Cybercriminals
Cybercriminal is a term for black hat hackers who are either self-employed
or working for large cybercrime organizations. Each year, cyber criminals
are responsible for stealing billions of dollars from consumers and
businesses.
State-sponsored
State-Sponsored hackers are threat actors who steal government secrets,
gather intelligence, and sabotage networks of foreign governments, terrorist
groups, and corporations. Most countries in the world participate to some
degree in state-sponsored hacking. Depending on a person’s perspective,
these are either white hat or black hat hackers.

2.2.4 Cybercriminals
Cybercriminals are threat actors who are motivated to make money using
any means necessary. While sometimes cybercriminals work independently,
they are more often financed and sponsored by criminal organizations. It is
estimated that globally, cybercriminals steal billions of dollars from
consumers and businesses every year.
Cybercriminals operate in an underground economy where they buy, sell,
and trade exploits and tools. They also buy and sell the personal information
and intellectual property that they steal from victims. Cybercriminals target
small businesses and consumers, as well as large enterprises and industries.

2.2.5 Cybersecurity Tasks

Threat actors do not discriminate. They target the vulnerable end devices of
home users and small-to-medium sized businesses, as well as large public
and private organizations.
To make the internet and networks safer and more secure, we must all
develop good cybersecurity awareness. Cybersecurity is a shared
responsibility which all users must practice. For example, we must report
cybercrime to the appropriate authorities, be aware of potential threats in
email and the web, and guard important information from theft.
Organizations must take action and protect their assets, users, and
customers. They must develop and practice cybersecurity tasks such as
those listed in the figure.
2.2.6 Cyber Threat Indicators
Many network attacks can be prevented by sharing information about
indicators of compromise (IOC). Each attack has unique identifiable
attributes. Indicators of compromise are the evidence that an attack has
occurred. IOCs can be features that identify malware files, IP addresses of
servers that are used in attacks, filenames, and characteristic changes
made to end system software, among others. IOCs help cybersecurity
personnel identify what has happened in an attack and develop defenses
against the attack. A summary of the IOC for a piece of malware is shown in
the figure.

For instance, a user receives an email claiming they have won a big prize.
Clicking on the link in the email results in an attack. The IOC could include
the fact the user did not enter that contest, the IP address of the sender, the
email subject line, the URL to click, or an attachment to download, among
others.
Indicators of attack (IOA) focus more on the motivation behind an attack and
the potential means by which threat actors have, or will, compromise
vulnerabilities to gain access to assets. IOAs are concerned with the
strategies that are used by attackers. For this reason, rather than informing
response to a single threat, IOAs can help generate a proactive security
approach. This is because strategies can be reused in multiple contexts and
multiple attacks. Defending against a strategy can therefore prevent future
attacks that utilize the same, or similar strategy.

2.2.7 Threat Sharing and Building Cybersecurity Awareness

Governments are now actively promoting cybersecurity. For instance, the US
Cybersecurity Infrastructure and Security Agency (CISA) is leading efforts to
automate the sharing of cybersecurity information with public and private
organizations at no cost. CISA uses a system called Automated Indicator
Sharing (AIS). AIS enables the sharing of attack indicators between the US
government and the private sector as soon as threats are verified. CISA
offers many resources that help to limit the size of the United States attack
surface.
The CISA and the National Cyber Security Alliance (NCSA) promote
cybersecurity to all users. For example, they have an annual campaign in
every October called “National Cybersecurity Awareness Month” (NCASM).
This campaign was developed to promote and raise awareness about
cybersecurity.
The theme for the NCASM for 2019 was “Own IT. Secure IT. Protect IT.” This
campaign encouraged all citizens to be safer and more personally
accountable for using security best practices online. The campaign provides
material on a wide variety of security topics including:
 Social media safety
 Updating privacy settings
 Awareness of device app security
 Keeping software up-to-date
 Safe online shopping
 Wi-Fi safety
 Protecting customer data
The European Union Agency for Cybersecurity (ENISA) delivers advice and
solutions for the cybersecurity challenges of the EU member states. ENISA
fills a role in Europe that is similar to the role of CISA in the US.

2.3 Securing Networks Summary

2.3.1 What Did I Learn in this Module?
Click on each of the headings to see a summary of the topics in this module.
Current State of Affairs
Network security relates directly to an organization's business continuity.
Network security breaches can disrupt e-commerce, cause the loss of
business data, threaten people’s privacy, and compromise the integrity of
information. These breaches can result in lost revenue for corporations, theft
of intellectual property, lawsuits, and can even threaten public safety. Many
tools are available to help network administrators adapt, develop, and
implement threat mitigation techniques, including the Cisco Talos
Intelligence Group. An attack vector is a path by which a threat actor can
gain access to a server, host, or network. Attack vectors originate from
inside or outside the corporate network. Data is likely to be an
organization’s most valuable asset. Various DLP controls must be
implemented, that combine strategic, operational, and tactical measures.
Common data loss vectors include email and social networking, unencrypted
data devices, cloud storage devices, removable media, hard copy, and
improper access control.
Who is Attacking Our Network?
Understanding network security requires you to understand the following
terms: threat, vulnerability, attack surface, exploit, and risk. Risk
management is the process that balances the operational costs of providing
protective measures with the gains achieved by protecting the asset. Four
common ways to manage risk are risk acceptance, risk avoidance, risk
reduction, and risk transfer. Hacker is a term used to describe a threat actor.
White hat hackers are ethical hackers using their skills for good, ethical, and
legal purposes. Grey hat hackers are individuals who commit crimes and do
unethical things, but not for personal gain or to cause damage. Black hat
hackers are criminals who violate computer and network security for
personal gain, or for malicious reasons, such as attacking networks. Threat
actors include script kiddies, vulnerability brokers, hacktivists,
cybercriminals, and state-sponsored hackers. Many network attacks can be
prevented by sharing information about IOCs. Many governments are
promoting cybersecurity. CISA and NCSA are examples of such
organizations.