Week 1 – Lecture Notes

October 17 – October 23

Network Infrastructure and Risk Elements

SM 6369

Networking Basics
SM 6369

What is a network
A Network is an environment constituted to allow machines to communicate. It consists of the following:
• The machines or devices communicating
• The medium of communication (cables, wireless, cellular)
• The devices facilitating (or protecting) the network

In an enterprise or organizational setting, some of the “machines” that need to communicate are used directly in
business operation. Others exist as part of the network to facilitate the communication. See examples below

Used Directly in Business Operation (Endpoints) Used to Facilitate Communication (Intermediary Devices)
o Computing devices o Routers – Routes data across the internet using the IP address
o Printers o Switches – Switches data to specific network segments based on MAC address
o Mobile Phones o Hubs – Broadcasts to all connected devices.
o Firewalls – Filters packets based on preconfigured rules

Devices in this category:

• Are capable of processing and/or storing data
• Require a unique identity to allow for commination across the network
SM 6369

Device Identity
Every device or machine communicating on a network has two unique identifiers.

These devices require a network interface card or NIC to communicate with the rest of the network.

The two unique identifiers are a string of characters, usually a numbers or letters, with some method of
delimitation

Media Access Control (MAC) Address Internet Protocol (IP) Address

o Assigned by the manufacturer of the NIC o Assigned by the network
o Hard Coded and non-changeable o Can be changed by the
o Remains with the NIC on the machine network administrator
regardless of what network the machine is o Is not tied to the
on. NIC/machine. Upon leaving
NOTE: Some NICs are removeable from the the network, the IP address
machine, and in such cases, the MAC address is dissociated from the
of the new device will be that of the NIC NIC/machine. The same IP
installed in it. can be assigned to a
different machine

For communication, devices on a network are identified by other devices using their IP address or MAC address.
In adversarial cyber attacks, devices are targeted using these addresses.
SM 6369

Data Identification
Data is transported over a network in packets of approximately 65,000 bytes. However, depending on the specific technology used, the exact size can vary.
Each packet is marked with a sequence number, and travels independently. The sequence number allows the packets to be reconstructed at the receiving
end.
Watch a demonstration how packets traverse the internet here.

A data packet has several parts. The two main parts are the Header and the Payload.
The header contains information about the source, destination and the sequence number.

Simplified Structure of a Data Packet

When a packet of information moves across the network, the router on the
network will examine the IP address portion of the packet and move the packet
onto the network segment which contains the computer with the destination IP
address. Once on the correct segment, switches will look at the MAC address to
move the packet to the correct destination NIC. The CRC is error-checking
information. The destination NIC will look at the CRC to determine if the packet was
corrupted during transit. If there is a problem with the packet, it will be re-
transmitted. - trustysec
Security Implications
Unencrypted data traversing a network can be intercepted manipulated
with malicious intent. This is tactic commonly in cyber attacks can trigger
the following:
• Bypass certain security controls as the source IP now appears
legitimate
• Elicit replies to be sent to rogue destination based on a false source IP
• Redirect packets once the destination has been altered
SM 6369

Ports, Protocols, and Services

Ports
• Ports are 16-bit rational, positive numbers that serve as an entry point into a network through a device. This means that the possible port numbers range
from 0 – 65535.
• Specific numbers are assigned to network services that programs use. Therefore, the port is how the system directs the data packet to the right
programs.
• A program can bind to port numbers 1024 and higher. However, Port numbers for from 0 – 1023 usually require administrative privileges for binding. This
is because they are reserved for basic internetworking communications and operations. These ports are usually referred to as “well-known” ports.

Protocols
• An agreed upon set of rules with which connected devices communicate with each other.
• Bridge the gap between differences in software, hardware, and standards
• Enhance safe and easy operations with regards to communication

Services
• Programs or capabilities usually provided by the server operating system that are used to facilitate network operations
• Also used to manage, organize, and sometimes secure data moved and stored across a network
• Can be managed at the operating system level to improve security

Security Implications
Infiltration of ports and protocols can provide an adversary with malicious intent access to data, and services can be used by the adversary as tools to carry out this intent
SM 6369

Classifying Network Security Threats

SM 6369

The OSI, TCPIP, DR Models

Models Associated Protocols

OSI TCP/IP DR Protocols

Application Application Application FTP, HTTP, Telnet
Presentation JPEG, MPEG
Sessions Database NFS, SQL, PAP
Layers
Transport Transport Network TCP, UDP
Network Network IPv4, IPV6
Data Link Network Access Compute ARP, CDP
Physical Storage Ethernet, Wi-Fi

Different elements of the attack surface could be on different layers.

Based on this, different types of attacks occur at different layers, and thus require
responses based on the layer at which they occur.
SM 6369

The CIA Triad

CIA Triad is an acronym for Confidentiality, Integrity, Availability.

These represent the “security goals” of an organization with regards to cybersecurity, or what the organization tries to
protect about its systems and data.

Security Attributes Attack Methods Solution Technology

Cyber attacks can also occur on different elements
Eavesdropping, Hacking, IDS, Firewall, Cryptographic
Confidentiality of the CIA triad
Phishing, DOS, and IP systems, IPsec, and SSL
spoofing
Appropriate defenses can also be designed
Viruses, Worms, Trojans, IDS, Firewall, Anti-Malware
Integrity around these principles
Eavesdropping, DOS, and IP software, IPsec, and SSL
spoofing

Privacy Email Bombing, Spamming, IDS, Firewall, Anti-Malware

Hacking, DOS, and cookies Systems, IPsec and SSL

Availability DOS, Email Bombing, IDS, Firewall, and Anti-

Spamming, and System Boot Malware software
Record Infectors

Adopted from Roumani et al (2020)

SM 6369

Cyber Risk Elements

SM 6369

Fundamentals of Cyber Risk

Identifying and Quantifying Cyber Risk involves the use of three elements or variables
• Threats (Maps to the Likelihood variable)
• Vulnerabilities
• Assets
(Both Assets and Vulnerabilities map to the Impact variable)

Cyber Risk is quantified to determine an organization’s Risk Appetite or Tolerance.

Cyber Risk is based largely on the consequences of a cyber incident to an organization. The consequences could
be different, based on the type of organization and the type of threat.

Other elements such as Time of the year, Time of the day, available resources, and organizational culture could
also increase or decrease risk.

Managing Cyber Risk means addressing the risk elements by applying one of the following Risk Treatments.
• Acceptance
• Transference
• Elimination
• Mitigation
SM 6369

Fundamentals of Cyber Risk - Definitions

Vulnerabilities –
Weaknesses that exist in an organization’s information system

Threats –
Elements that are capable of exploiting vulnerabilities that exist in an organization’s information system

Risk –
The likelihood that a threat will exploit a vulnerability

A Vulnerability can exist without being a risk. This is possible if there is no threat that is willing and able to exploit it.

Vulnerabilities can be managed separately in a vulnerability management process. In this case, the existence of an active
threat is not necessarily considered.
SM 6369

Motivations
Hacktivism
Conducting cyber attacks for a cause

Nation-state Operations
Sponsored by national resources, usually for political reasons

Insiders - (espionage)
Conducted by members of an organization who already have access to systems and data

Adventure (Script Kiddies)

Attackers who just want to prove a point, have fun, or gain popularity

Financial gain
Perpetrators engage in malicious activity with extortion as a primary motivation