WEBVTT

00:00:01.060 --> 00:00:04.990
Let's take a look at network threats and attacks for the Network

00:00:04.990 --> 00:00:08.820
Security for Certified in Cybersecurity examination.

00:00:11.010 --> 00:00:15.790
We divided this course into three parts: Computer Networking,

00:00:15.790 --> 00:00:19.630
Network Threats and Attacks, and Network Infrastructure.

00:00:20.660 --> 00:00:22.920
When we took a look at computer networking,

00:00:22.920 --> 00:00:26.140
we saw the basics of how networks work,

00:00:26.140 --> 00:00:30.490
but networks provide a tremendous business advantage.

00:00:30.500 --> 00:00:32.159
They allow us to communicate,

00:00:32.159 --> 00:00:36.700
but they are also the source and victim of many

00:00:36.700 --> 00:00:39.200
different types of threats and attacks.

00:00:40.010 --> 00:00:42.260
We need to know what's going on.

00:00:42.750 --> 00:00:44.640
This is a slide we saw before,

00:00:44.640 --> 00:00:48.210
but it's an important one because it allows us to be aware of

00:00:48.210 --> 00:00:51.930
the types of threats we face from some type of threat

00:00:51.930 --> 00:00:55.380
intelligence feeds such as commercial feeds,

00:00:56.050 --> 00:01:00.250
open source intelligence feeds, and various blogs and comments,

00:01:00.250 --> 00:01:04.050
whether or not it's in the social media or mainstream media

00:01:04.379 --> 00:01:08.250
that indicates and highlights some of the types of attacks

00:01:08.250 --> 00:01:10.550
being used by hackers today.

00:01:11.570 --> 00:01:16.220
We need to know what type of activity is going on.

00:01:16.280 --> 00:01:20.520
And a problem for many companies is they don't know what's normal,

00:01:20.520 --> 00:01:24.150
so therefore, if they see something abnormal,

00:01:24.160 --> 00:01:28.060
they don't identify it as being different from usual.

00:01:28.670 --> 00:01:32.520
This means we need to monitor our traffic so we're able to

00:01:32.520 --> 00:01:37.390
see when there's something going on, which is not part of normal activity.

00:01:38.690 --> 00:01:42.150
We also need to know what types of attacks are coming.

00:01:42.480 --> 00:01:45.330
This is where we often develop signatures.

00:01:45.450 --> 00:01:48.810
We put together an attack signature that says,

00:01:48.810 --> 00:01:53.040
these are the types of tools and techniques being used

00:01:53.040 --> 00:01:55.680
so we can especially watch for these.

00:01:56.020 --> 00:02:02.000
We see that many hackers use similar attack methods against multiple customers.

00:02:02.560 --> 00:02:07.370
If one person has experienced some type of an attack,

00:02:07.780 --> 00:02:08.370
then,

00:02:08.370 --> 00:02:12.410
very often we'll see they'll use that same type of attack

00:02:12.420 --> 00:02:15.550
against other organizations and victims as well.

00:02:16.550 --> 00:02:17.330
Very often,

00:02:17.330 --> 00:02:22.680
we see that hackers will focus on one specific type of industry sector,

00:02:22.930 --> 00:02:27.360
say healthcare, or they might focus for a while on education.

00:02:27.680 --> 00:02:27.980
Well,

00:02:27.980 --> 00:02:31.390
if I'm working in one of those areas that is part of the

00:02:31.400 --> 00:02:34.550
mainstream type of attacks going on today,

00:02:34.560 --> 00:02:37.660
I need to be especially watchful and prepared.

00:02:39.210 --> 00:02:42.890
One of the things we need to watch out for is a DDoS;

00:02:42.890 --> 00:02:46.320
that is a distributed denial‑of‑service,

00:02:46.320 --> 00:02:49.680
and when we are subject to that type of attack,

00:02:49.870 --> 00:02:54.980
then we have to be ready for it so that we could either deflect the attack,

00:02:54.980 --> 00:02:59.370
and an example of that was an anti‑spam organization.

00:02:59.950 --> 00:03:02.480
They knew that someday they would be attacked,

00:03:02.480 --> 00:03:03.530
so therefore,

00:03:03.530 --> 00:03:09.010
they set up an infrastructure so when an attack came after them in one location,

00:03:09.140 --> 00:03:12.860
they quickly diverted all of their services to another location.

00:03:13.280 --> 00:03:16.550
So the attack was going against an empty target.

00:03:16.550 --> 00:03:20.650
As soon as the attackers realized that, they moved to another place,

00:03:20.650 --> 00:03:23.570
and where the company had moved to,

00:03:23.570 --> 00:03:27.860
but then the anti‑spam organization just quickly moved to another,

00:03:27.860 --> 00:03:31.380
and they played a bit of a game that's sometimes called

00:03:31.380 --> 00:03:35.070
whack‑a‑mole where you try to hit a target here,

00:03:35.070 --> 00:03:36.810
then it moves somewhere else, they hit it there,

00:03:36.810 --> 00:03:38.080
they move somewhere else,

00:03:38.080 --> 00:03:43.240
and that idea of attack deflection allowed them to keep providing service,

00:03:43.240 --> 00:03:47.670
even though they were under a massive attack that was trying to

00:03:47.670 --> 00:03:50.550
deprive their customers of having service.

00:03:51.290 --> 00:03:54.860
A denial‑of‑service is when our services don't work.

00:03:55.170 --> 00:04:00.130
A distributed denial‑of‑service is where that attack is amplified

00:04:00.130 --> 00:04:03.080
to come from many different locations at once.

00:04:04.780 --> 00:04:07.890
The other thing we can do, and we see several companies do this,

00:04:07.890 --> 00:04:11.190
is they attempt to absorb the attack traffic.

00:04:11.380 --> 00:04:14.950
They have big enough pipes, or we could say enough bandwidth,

00:04:14.950 --> 00:04:19.350
so when an attack comes in, they are able to actually take that,

00:04:19.360 --> 00:04:24.330
dump it off to the side, and still allow legitimate traffic to come through.

00:04:24.760 --> 00:04:29.610
This can be done either by the organization itself or by using some of

00:04:29.610 --> 00:04:33.680
the commercial feeds that are out there that will help us to be able to

00:04:33.680 --> 00:04:37.020
filter out any type of attack traffic.

00:04:38.600 --> 00:04:41.650
Our firewalls are important in this regard,

00:04:41.650 --> 00:04:45.700
because a firewall is, just like with a medieval city,

00:04:45.700 --> 00:04:48.730
the gate in the wall to the city,

00:04:48.730 --> 00:04:53.460
and that gate is where we are able to filter what traffic

00:04:53.460 --> 00:04:56.300
comes in and also what traffic goes out.

00:04:56.830 --> 00:05:01.610
If we set up our controls correctly, we can make sure,

00:05:01.610 --> 00:05:05.130
first of all, that an inbound attack is stopped,

00:05:05.130 --> 00:05:09.280
but also that it filters to make sure that we are not the

00:05:09.280 --> 00:05:11.790
source of an attack on someone else.

00:05:11.960 --> 00:05:16.300
In other words, we also filter outbound traffic as well.

00:05:17.360 --> 00:05:21.380
This filtering of outbound or exiting traffic is

00:05:21.380 --> 00:05:23.810
often known as egress monitoring.

00:05:24.230 --> 00:05:27.390
We watch for what's going out to make sure there's

00:05:27.390 --> 00:05:29.760
nothing malicious going out of our network,

00:05:29.760 --> 00:05:32.910
and we also watch to make sure there's nothing sensitive,

00:05:32.910 --> 00:05:37.030
using things like data loss and data leakage prevention systems,

00:05:37.030 --> 00:05:41.410
that will try to ensure that there's no data going out through the

00:05:41.410 --> 00:05:43.450
firewall that really shouldn't have gone out,

00:05:43.450 --> 00:05:46.250
that will say Classified, for example.

00:05:46.250 --> 00:05:52.970
Very often, firewall rules will be set up either as whitelisting or blacklisting.

00:05:53.360 --> 00:05:55.300
Whitelisting quite simply says,

00:05:55.300 --> 00:05:58.580
this is what's allowed; everything else is prohibited.

00:05:59.300 --> 00:06:03.060
Blacklisting says, we will allow everything,

00:06:03.060 --> 00:06:05.750
except these things that are prohibited.

00:06:06.210 --> 00:06:09.130
It's a difference in culture, mentality,

00:06:09.130 --> 00:06:10.580
and of course,

00:06:10.580 --> 00:06:14.950
whether or not we use whitelists or blacklists is very often

00:06:14.950 --> 00:06:20.050
dependent on the level of security we need and would be

00:06:20.050 --> 00:06:22.200
reasonable for our organization.

00:06:23.410 --> 00:06:27.570
It's important that firewalls are installed in the correct place.

00:06:28.090 --> 00:06:31.070
They need to be where the traffic goes.

00:06:31.320 --> 00:06:35.170
Now, this is often difficult in today's wireless world,

00:06:35.170 --> 00:06:38.880
because not all of our traffic is coming through fiber.

00:06:39.070 --> 00:06:43.470
A lot of our traffic could be coming through wireless,

00:06:43.470 --> 00:06:48.720
from a cell phone that has been connected to the network and

00:06:48.730 --> 00:06:52.790
has access outside of the network perimeter,

00:06:52.790 --> 00:06:55.420
and so our firewalls are important,

00:06:55.420 --> 00:06:59.720
both internally to protect our internal systems from external,

00:06:59.720 --> 00:07:05.520
but also even between different internal network segments so that we can

00:07:05.520 --> 00:07:09.660
ensure that traffic from finance isn't visible to people,

00:07:09.660 --> 00:07:11.890
for example, in HR.

00:07:11.890 --> 00:07:16.900
When we look at firewall operations, the important thing is the rules.

00:07:16.900 --> 00:07:20.210
We'll call that the configuration of the firewall.

00:07:20.390 --> 00:07:26.480
What rules do we put in place and make sure that those rules are reasonable,

00:07:26.480 --> 00:07:28.940
they're backed up by policy,

00:07:28.940 --> 00:07:32.610
because it should never be such that someone just puts a rule

00:07:32.610 --> 00:07:34.480
in because they think it's a good idea.

00:07:35.110 --> 00:07:35.700
No,

00:07:35.780 --> 00:07:39.480
it's management that determines what should or should not be

00:07:39.480 --> 00:07:42.450
allowed with things like acceptable use policies,

00:07:42.450 --> 00:07:43.430
for example.

00:07:44.180 --> 00:07:47.010
But when we need to make a change to the rule,

00:07:47.080 --> 00:07:49.070
this is where we need to be careful,

00:07:49.070 --> 00:07:52.150
because we could put the rules in the wrong order.

00:07:52.150 --> 00:07:55.850
We've already allowed something that we would have later prohibited.

00:07:56.320 --> 00:08:00.460
And it's important here that when we put the rules in that

00:08:00.460 --> 00:08:03.970
they're accurate so we don't end up limiting traffic that

00:08:03.970 --> 00:08:05.240
should have been allowed.

00:08:05.910 --> 00:08:08.330
Many organizations have had this problem.

00:08:08.770 --> 00:08:10.950
They put a rule in the firewall that actually

00:08:10.950 --> 00:08:13.120
blocked legitimate traffic as well.

00:08:13.230 --> 00:08:15.290
So change control is important.

00:08:15.610 --> 00:08:18.440
We should document what all of the rules are,

00:08:18.440 --> 00:08:22.770
of course, because it's important that we know who asked for that rule,

00:08:22.770 --> 00:08:25.870
and if there's a question about it, we can go back and ask them,

00:08:25.870 --> 00:08:27.920
why is that rule there?

00:08:27.920 --> 00:08:33.159
A firewall records lots of different types of activity,

00:08:33.169 --> 00:08:35.950
what did come through, and what was blocked,

00:08:36.250 --> 00:08:41.070
but it's no good to have logs of what happened if nobody ever looks at the logs.

00:08:41.070 --> 00:08:44.610
Again, we need to know what is good normal traffic,

00:08:44.610 --> 00:08:47.520
and what are the normal volumes of traffic?

00:08:47.700 --> 00:08:51.290
So if something strange happens, we would be aware of it.

00:08:52.120 --> 00:08:56.460
Now the problem with encryption is that encryption

00:08:56.470 --> 00:08:59.380
makes the firewall less effective,

00:08:59.380 --> 00:09:05.570
because the encrypted traffic cannot easily be examined by the firewall,

00:09:05.570 --> 00:09:10.130
and even if the firewall was able to see some encrypted traffic,

00:09:10.140 --> 00:09:12.730
we start to see performance hits as well,

00:09:12.730 --> 00:09:16.290
and a lot of our traffic is not making it through the firewall,

00:09:16.290 --> 00:09:18.600
it becomes a point of congestion.

00:09:19.890 --> 00:09:22.660
We often use virtual private networks,

00:09:22.660 --> 00:09:28.320
and virtual private networks are often using encryption to protect their data.

00:09:28.320 --> 00:09:31.880
And this means that when that traffic comes through,

00:09:31.880 --> 00:09:32.380
again,

00:09:32.380 --> 00:09:36.350
the firewall may not be able to really see clearly if there was

00:09:36.350 --> 00:09:40.580
something malicious or unwanted in that encrypted traffic.

00:09:41.920 --> 00:09:44.690
One of the hardest things to do is find good staff,

00:09:45.240 --> 00:09:49.320
because firewall administration is not always a really

00:09:49.330 --> 00:09:53.250
interesting long‑term career job, it can be.

00:09:53.250 --> 00:09:57.600
Certainly, there can be a lot of opportunity to learn and investigate,

00:09:58.000 --> 00:10:01.540
but quite often, people move on, areas of more responsibility,

00:10:01.540 --> 00:10:05.320
and we bring in new staff that needs now to be trained,

00:10:05.320 --> 00:10:07.130
they need to know what to look for.

00:10:07.490 --> 00:10:10.530
They need to have the proper training to know how to

00:10:10.530 --> 00:10:14.100
configure and monitor that firewall as well.

00:10:15.930 --> 00:10:22.050
Two of the most common tools used in conjunction with network security are

00:10:22.050 --> 00:10:26.360
intrusion detection systems and intrusion prevention systems.

00:10:26.930 --> 00:10:30.060
They are based on the same type of engine or the same

00:10:30.060 --> 00:10:32.720
type of operational characteristic.

00:10:33.620 --> 00:10:38.000
The difference is that a detection system logs traffic,

00:10:38.010 --> 00:10:41.470
a prevention system can actually block traffic.

00:10:42.830 --> 00:10:47.200
These came out of something we knew originally as misuse detection.

00:10:47.200 --> 00:10:51.950
A person who is authorized misuses the system,

00:10:51.950 --> 00:10:57.350
and the idea is that we needed to be able to determine what

00:10:57.350 --> 00:11:02.420
was legitimate traffic and what was bad traffic from a

00:11:02.420 --> 00:11:05.940
legitimate or authorized user, as well as,

00:11:05.940 --> 00:11:11.370
of course, blocked traffic from an intruder that had no right to be there at all.

00:11:12.450 --> 00:11:16.920
We very often use IDS and IPS systems as part of our

00:11:16.920 --> 00:11:20.090
layered defense or defense in‑depth model.

00:11:20.440 --> 00:11:24.640
In this way, we can, for example, have the internet,

00:11:24.650 --> 00:11:28.980
there off to the left, and put an IDS in front of our firewall.

00:11:29.260 --> 00:11:32.920
It's recording what type of traffic is coming to the firewall.

00:11:33.130 --> 00:11:35.680
The firewall does its job to block,

00:11:35.680 --> 00:11:38.700
but allow traffic that should be allowed through,

00:11:38.700 --> 00:11:43.140
but then maybe we put another IDS in behind the firewall,

00:11:43.350 --> 00:11:47.320
maybe in towards the internal network or up towards our

00:11:47.320 --> 00:11:50.010
demilitarized zone where we have our web server.

00:11:50.490 --> 00:11:54.790
So here, we can see what traffic did make it through the firewall.

00:11:55.100 --> 00:11:59.670
Maybe that's a very enlightening log that can show us there are

00:11:59.670 --> 00:12:01.720
things getting through the firewall that shouldn't,

00:12:01.730 --> 00:12:02.810
for example.

00:12:02.810 --> 00:12:06.950
Then we can, in front of our servers and internal networks,

00:12:06.950 --> 00:12:12.370
put in an intrusion prevention system that if it sees something it doesn't like,

00:12:12.380 --> 00:12:13.760
it will actually block it.

00:12:14.490 --> 00:12:17.540
It's the difference between a person who sits at the side of

00:12:17.540 --> 00:12:19.840
the road and watches the traffic go by.

00:12:20.750 --> 00:12:23.520
That person sees pretty much everything,

00:12:23.520 --> 00:12:28.660
and they can be very accurate at recording how many cars or trucks went by.

00:12:29.070 --> 00:12:32.400
But there's not much that that type of person who's only

00:12:32.400 --> 00:12:36.470
monitoring will be able to do about maybe bad traffic.

00:12:37.270 --> 00:12:40.600
Instead, we now have an IPS.

00:12:40.600 --> 00:12:44.150
The person sitting beside the road was an IDS,

00:12:44.150 --> 00:12:45.610
intrusion detection,

00:12:46.220 --> 00:12:51.600
but intrusion prevention means that person can actually step and block traffic.

00:12:52.340 --> 00:12:54.550
Now, the problem with this, of course,

00:12:54.550 --> 00:12:57.640
is you don't want it to block legitimate traffic,

00:12:57.640 --> 00:13:02.270
and it can take a lot of work to tune an intrusion prevention

00:13:02.270 --> 00:13:06.200
system that it won't start blocking legitimate traffic or

00:13:06.200 --> 00:13:08.040
letting bad traffic go through.

00:13:09.090 --> 00:13:11.870
We can also, as we see on our server here,

00:13:11.870 --> 00:13:16.500
have host‑based intrusion detection and prevention systems.

00:13:16.950 --> 00:13:21.630
These will try to pick up any changes on that server,

00:13:21.630 --> 00:13:25.090
and you're all very familiar with that these days.

00:13:25.090 --> 00:13:27.770
You can be doing something and all of a sudden you get,

00:13:27.770 --> 00:13:31.230
bloop, a little window comes up and that window says,

00:13:31.230 --> 00:13:34.610
this program is trying to make a change to your system.

00:13:35.010 --> 00:13:36.470
Should we allow it?

00:13:36.470 --> 00:13:41.060
And you'll need to answer in an administrator password to permit that.

00:13:41.270 --> 00:13:44.440
That's a host‑based intrusion prevention system,

00:13:44.440 --> 00:13:47.780
which is preventing a program from making a change

00:13:47.790 --> 00:13:50.980
until it has your approval for that.

00:13:52.540 --> 00:13:55.730
How do IDSs and IPSs operate?

00:13:56.220 --> 00:13:59.720
They often look for things such as known attack signatures,

00:13:59.720 --> 00:14:04.490
a signature that we know, oh, this is how an attack is configured,

00:14:04.490 --> 00:14:07.390
or they look for a pattern of activity.

00:14:07.440 --> 00:14:10.570
If you see this, then this, then this, that's bad.

00:14:10.890 --> 00:14:14.970
So those are two of the types of analysis engines we use,

00:14:14.970 --> 00:14:17.730
pattern matching and signature based.

00:14:18.530 --> 00:14:20.930
The other is anomaly detection.

00:14:22.040 --> 00:14:25.500
What is something which is an anomaly, different from normal?

00:14:25.500 --> 00:14:29.610
We know that we have a normal amount of traffic that goes down the road,

00:14:29.610 --> 00:14:32.380
but all of a sudden there's a huge amount at once.

00:14:32.860 --> 00:14:36.020
That's an anomaly that could be an indication maybe

00:14:36.020 --> 00:14:38.430
of a denial‑of‑service attack.

00:14:38.940 --> 00:14:43.430
And, this looks at things such as improper protocols.

00:14:43.790 --> 00:14:46.830
An old example of this was ICMP.

00:14:47.400 --> 00:14:50.760
ICMP, Internet Control Management Protocol,

00:14:50.760 --> 00:14:56.530
is a really good tool we can use to ensure we have

00:14:56.530 --> 00:14:58.940
connectivity between different devices.

00:14:59.390 --> 00:15:02.180
The problem with it is that someone said we can

00:15:02.180 --> 00:15:06.210
misconfigure that little ping packet, the ICMP packet,

00:15:06.210 --> 00:15:12.370
now to be an enormous size, and that was what we called the ping of death.

00:15:12.570 --> 00:15:16.500
It tried to say that it was a normal ICMP packet,

00:15:16.500 --> 00:15:20.360
but of course, it wasn't and could cause network disruptions.

00:15:20.360 --> 00:15:23.480
That's what a protocol anomaly would be.

00:15:24.230 --> 00:15:28.780
We could also have traffic anomalies and that is different types of traffic,

00:15:28.780 --> 00:15:32.950
maybe we have traffic going to some other type of,

00:15:32.950 --> 00:15:36.180
should we say, server or application we've never seen before,

00:15:36.180 --> 00:15:40.510
and we say, that doesn't look right, or we could have statistical,

00:15:40.610 --> 00:15:44.700
a flood of traffic that just wouldn't be what would

00:15:44.700 --> 00:15:46.700
be the normal flow of traffic.

00:15:47.280 --> 00:15:50.540
The other is heuristic where we're looking and saying,

00:15:50.540 --> 00:15:54.730
this is normal behavior, but has that changed?

00:15:54.730 --> 00:15:55.250
Now,

00:15:55.250 --> 00:15:59.390
one of the problems with this is that these types of systems are

00:15:59.390 --> 00:16:02.550
very good at picking up new types of attacks,

00:16:03.040 --> 00:16:05.350
but sometimes they'll overreact.

00:16:05.350 --> 00:16:09.310
They'll react to an attack that wasn't really a problem.

00:16:09.310 --> 00:16:12.450
And this is where we need things like heuristics

00:16:12.640 --> 00:16:15.910
that will maybe look at something, they'll put it into a sandbox,

00:16:15.910 --> 00:16:18.410
we can examine it for a little while,

00:16:18.410 --> 00:16:21.710
and then if it looks like it's properly behaving,

00:16:21.720 --> 00:16:22.860
allow it through.