Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation...
Transcript of Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation...
![Page 1: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/1.jpg)
PROTECTING INFORMATION ASSETSNETWORK SECURITY
![Page 2: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/2.jpg)
PAUL SMITH
• 20 years of IT experience (desktop, servers, networks, firewalls ….)
• 17 years of engineering in enterprise scaled networks
• 10+ years in Network Security
• 10+ years as a CISSP
• Graduate of Fox School of Business, MBA
• Assistant Director of Network Security for Temple University
• Adjunct Professor for ITACS:
• Network Security
• IT Governance
![Page 3: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/3.jpg)
SIMPLE DEFINITIONS OF NETWORK SECURITY
The purpose of network security is to protect the network and
its component parts from unauthorized access and misuse
The policies, practices and technology employed to
prevent unauthorized access, misuse, modification, or
denial of a computer network and network resources.
![Page 4: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/4.jpg)
What is Security Posture? It is your overall security plan – the
approach your business takes to security, from planning to
implementation. It is comprised of technical and non-technical
policies, procedures and controls, that protect you from both
internal and external threats
![Page 5: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/5.jpg)
Network Security Security PostureHow Networks Work
Risks
Governance
(Placing Limits)
Management
Frameworks
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 6: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/6.jpg)
Network Security Security PostureHow Networks Work
Risks
Governance
(Placing Limits)
Management
Frameworks
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 7: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/7.jpg)
Network Security Security PostureHow Networks Work
Risks
Governance
(Placing Limits)
• HIPAA (Healthcare)• PCI-DSS (Retail)• GLBA (Financial Sector)• FISMA (Government)• SOX (Corporate)
Management
Frameworks
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 8: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/8.jpg)
Network Security Security PostureHow Networks Work
Risks
Governance
(Placing Limits)
• HIPAA (Healthcare)• PCI-DSS (Retail)• GLBA (Financial Sector)• FISMA (Government)• SOX (Corporate)
Management
Frameworks
• Best Practices • Guidelines• Gap Analysis• NIST 800-53• FIPS 199• ISO 27001 / 27002• COBIT/DSS05.x/APO13• CSET Assessment
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 9: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/9.jpg)
Network Security Security PostureHow Networks Work
Risks
Governance
(Placing Limits)
• Risk acceptance• Risk avoidance• Risk transfer• Risk mitigation• Risk assessments• Likelihood • Impact• SP800-30• ISO 27005
• HIPAA (Healthcare)• PCI-DSS (Retail)• GLBA (Financial Sector)• FISMA (Government)• SOX (Corporate)
Management
Frameworks
• Best Practices • Guidelines• Gap Analysis• NIST 800-53• FIPS 199• ISO 27001 / 27002• COBIT/DSS05.x/APO13• CSET Assessment
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 10: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/10.jpg)
Network Security Security PostureHow Networks Work
Risks
Governance
(Placing Limits)
• Risk acceptance• Risk avoidance• Risk transfer• Risk mitigation• Risk assessments• Likelihood • Impact• SP800-30• ISO 27005
• HIPAA (Healthcare)• PCI-DSS (Retail)• GLBA (Financial Sector)• FISMA (Government)• SOX (Corporate)
Management
Frameworks
• Best Practices • Guidelines• Gap Analysis• NIST 800-53• FIPS 199• ISO 27001 / 27002• COBIT/DSS05.x/APO13• CSET Assessment
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 11: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/11.jpg)
Network Security
OSI Model
Security PostureHow Networks Work
Risks
Governance
(Placing Limits)
• Well-known ports• Encapsulation• Connection vs connectionless• Three-way handshake• Packet Analysis• What is an anomaly
• Risk acceptance• Risk avoidance• Risk transfer• Risk mitigation• Risk assessments• Likelihood • Impact• SP800-30• ISO 27005
• HIPAA (Healthcare)• PCI-DSS (Retail)• GLBA (Financial Sector)• FISMA (Government)• SOX (Corporate)
Management
Frameworks
• Best Practices • Guidelines• Gap Analysis• NIST 800-53• FIPS 199• ISO 27001 / 27002• COBIT/DSS05.x/APO13• CSET Assessment
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 12: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/12.jpg)
Network Security
OSI Model
Security PostureHow Networks Work
Risks
Governance
(Placing Limits)
• Well-known ports• Encapsulation• Connection vs connectionless• Three-way handshake• Packet Analysis• What is an anomaly
• Risk acceptance• Risk avoidance• Risk transfer• Risk mitigation• Risk assessments• Likelihood • Impact• SP800-30• ISO 27005
• HIPAA (Healthcare)• PCI-DSS (Retail)• GLBA (Financial Sector)• FISMA (Government)• SOX (Corporate)
Management
Frameworks
• Best Practices • Guidelines• Gap Analysis• NIST 800-53• FIPS 199• ISO 27001 / 27002• COBIT/DSS05.x/APO13• CSET Assessment
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Internet Protocols
• DHCP SSH ARP• DNS MAC TLS/SSL• FTP TCP SNMP• HTTP UDP IPSec• NTP ICMP IPv4 v6
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 13: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/13.jpg)
Network Security
OSI Model
Security Posture
Network Types
How Networks Work
Risks
Governance
(Placing Limits)
• Well-known ports• Encapsulation• Connection vs connectionless• Three-way handshake• Packet Analysis• What is an anomaly
• Public IP Addressing• Private IP Addressing• Network Address Translation• Cloud Computing
• Risk acceptance• Risk avoidance• Risk transfer• Risk mitigation• Risk assessments• Likelihood • Impact• SP800-30• ISO 27005
• HIPAA (Healthcare)• PCI-DSS (Retail)• GLBA (Financial Sector)• FISMA (Government)• SOX (Corporate)
Management
Frameworks
• Best Practices • Guidelines• Gap Analysis• NIST 800-53• FIPS 199• ISO 27001 / 27002• COBIT/DSS05.x/APO13• CSET Assessment
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Internet Protocols
• DHCP SSH ARP• DNS MAC TLS/SSL• FTP TCP SNMP• HTTP UDP IPSec• NTP ICMP IPv4 v6
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 14: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/14.jpg)
Network Security
OSI Model
Components
Security Posture
Network Types
How Networks Work
Risks
Governance
(Placing Limits)
• Well-known ports• Encapsulation• Connection vs connectionless• Three-way handshake• Packet Analysis• What is an anomaly
• Public IP Addressing• Private IP Addressing• Network Address Translation• Cloud Computing
• Hubs vs Switches• Routers• Wireless• Intrusion Prevention and Detection• Virtual Local-Area-Networks (VLANs)
• Risk acceptance• Risk avoidance• Risk transfer• Risk mitigation• Risk assessments• Likelihood • Impact• SP800-30• ISO 27005
• HIPAA (Healthcare)• PCI-DSS (Retail)• GLBA (Financial Sector)• FISMA (Government)• SOX (Corporate)
Management
Frameworks
• Best Practices • Guidelines• Gap Analysis• NIST 800-53• FIPS 199• ISO 27001 / 27002• COBIT/DSS05.x/APO13• CSET Assessment
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Internet Protocols
• DHCP SSH ARP• DNS MAC TLS/SSL• FTP TCP SNMP• HTTP UDP IPSec• NTP ICMP IPv4 v6
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 15: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/15.jpg)
Network Security
OSI Model
Components
Security Posture
Network Types
How Networks Work
Risks
Governance
(Placing Limits)
• Well-known ports• Encapsulation• Connection vs connectionless• Three-way handshake• Packet Analysis• What is an anomaly
• Public IP Addressing• Private IP Addressing• Network Address Translation• Cloud Computing
• Hubs vs Switches• Routers• Wireless• Intrusion Prevention and Detection• Virtual Local-Area-Networks (VLANs)
• Risk acceptance• Risk avoidance• Risk transfer• Risk mitigation• Risk assessments• Likelihood • Impact• SP800-30• ISO 27005
• HIPAA (Healthcare)• PCI-DSS (Retail)• GLBA (Financial Sector)• FISMA (Government)• SOX (Corporate)
Management
Frameworks
• Best Practices • Guidelines• Gap Analysis• NIST 800-53• FIPS 199• ISO 27001 / 27002• COBIT/DSS05.x/APO13• CSET Assessment
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Internet Protocols
• DHCP SSH ARP• DNS MAC TLS/SSL• FTP TCP SNMP• HTTP UDP IPSec• NTP ICMP IPv4 v6
• Firewalls Types, placement, rulesets, NAT
• Cryptography Algorithms, secret/public keys, CA
• Intrusion Prevention and Detection
Security Technology
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 16: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/16.jpg)
Network Security
OSI Model
Components
Security Posture
Network Types
How Networks Work
Risks
Governance
(Placing Limits)
Concepts
• CIA Triad• Security Architecture• Segmentation/Zones• Perimeter Defense• Defense-in-Depth• Least Privilege• Threat Landscape• Due Care• Due Diligence• Redundancy / HA
• Well-known ports• Encapsulation• Connection vs connectionless• Three-way handshake• Packet Analysis• What is an anomaly
• Public IP Addressing• Private IP Addressing• Network Address Translation• Cloud Computing
• Hubs vs Switches• Routers• Wireless• Intrusion Prevention and Detection• Virtual Local-Area-Networks (VLANs)
• Risk acceptance• Risk avoidance• Risk transfer• Risk mitigation• Risk assessments• Likelihood • Impact• SP800-30• ISO 27005
• HIPAA (Healthcare)• PCI-DSS (Retail)• GLBA (Financial Sector)• FISMA (Government)• SOX (Corporate)
Management
Frameworks
• Best Practices • Guidelines• Gap Analysis• NIST 800-53• FIPS 199• ISO 27001 / 27002• COBIT/DSS05.x/APO13• CSET Assessment
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Internet Protocols
• DHCP SSH ARP• DNS MAC TLS/SSL• FTP TCP SNMP• HTTP UDP IPSec• NTP ICMP IPv4 v6
• Firewalls Types, placement, rulesets, NAT
• Cryptography Algorithms, secret/public keys, CA
• Intrusion Prevention and Detection
Security Technology
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 17: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/17.jpg)
Network Security
OSI Model
Components
Security Posture
Network Types
How Networks Work
Threats and Attacks
Risks
Governance
(Placing Limits)
Concepts
• CIA Triad• Security Architecture• Segmentation/Zones• Perimeter Defense• Defense-in-Depth• Least Privilege• Threat Landscape• Due Care• Due Diligence• Redundancy / HA
• Threat Landscape• Reconnaissance• Vulnerabilities (CVEs)• DDoS / DOS• Sniffers• Social Engineering• Data Harvesting• Cyber Kill Chain
• Well-known ports• Encapsulation• Connection vs connectionless• Three-way handshake• Packet Analysis• What is an anomaly
• Public IP Addressing• Private IP Addressing• Network Address Translation• Cloud Computing
• Hubs vs Switches• Routers• Wireless• Intrusion Prevention and Detection• Virtual Local-Area-Networks (VLANs)
• Risk acceptance• Risk avoidance• Risk transfer• Risk mitigation• Risk assessments• Likelihood • Impact• SP800-30• ISO 27005
• HIPAA (Healthcare)• PCI-DSS (Retail)• GLBA (Financial Sector)• FISMA (Government)• SOX (Corporate)
Management
Frameworks
• Best Practices • Guidelines• Gap Analysis• NIST 800-53• FIPS 199• ISO 27001 / 27002• COBIT/DSS05.x/APO13• CSET Assessment
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Internet Protocols
• DHCP SSH ARP• DNS MAC TLS/SSL• FTP TCP SNMP• HTTP UDP IPSec• NTP ICMP IPv4 v6
• Firewalls Types, placement, rulesets, NAT
• Cryptography Algorithms, secret/public keys, CA
• Intrusion Prevention and Detection
Security Technology
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 18: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/18.jpg)
Network Security
OSI Model
Components
Security Posture
Network Types
How Networks Work
Threats and Attacks
Risks
Governance
(Placing Limits)
Concepts
• CIA Triad• Security Architecture• Segmentation/Zones• Perimeter Defense• Defense-in-Depth• Least Privilege• Threat Landscape• Due Care• Due Diligence• Redundancy / HA
• Threat Landscape• Reconnaissance• Vulnerabilities (CVEs)• DDoS / DOS• Sniffers• Social Engineering• Data Harvesting• Cyber Kill Chain
• Well-known ports• Encapsulation• Connection vs connectionless• Three-way handshake• Packet Analysis• What is an anomaly
• Public IP Addressing• Private IP Addressing• Network Address Translation• Cloud Computing
• Hubs vs Switches• Routers• Wireless• Intrusion Prevention and Detection• Virtual Local-Area-Networks (VLANs) Security Operations
• Security Operations Centers (SOC)• Continuous Monitoring• Security Incident Event Mgmt (SIEM)• Subject Matter Experts (SMEs)• Process / Operational controls• Logical Controls• Technical Controls
• Risk acceptance• Risk avoidance• Risk transfer• Risk mitigation• Risk assessments• Likelihood • Impact• SP800-30• ISO 27005
• HIPAA (Healthcare)• PCI-DSS (Retail)• GLBA (Financial Sector)• FISMA (Government)• SOX (Corporate)
Management
Frameworks
• Best Practices • Guidelines• Gap Analysis• NIST 800-53• FIPS 199• ISO 27001 / 27002• COBIT/DSS05.x/APO13• CSET Assessment
• Organizational Culture• Policy and Strategy• Ethical Issues• Balance = Trade-offs• What are you governing? • Asset Classification (FIPS 199)
Internet Protocols
• DHCP SSH ARP• DNS MAC TLS/SSL• FTP TCP SNMP• HTTP UDP IPSec• NTP ICMP IPv4 v6
• Firewalls Types, placement, rulesets, NAT
• Cryptography Algorithms, secret/public keys, CA
• Intrusion Prevention and Detection
Security Technology
Created by Paul M. Sm ith, MBA, CISSP
Compliance and
Alignment with Laws
![Page 19: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/19.jpg)
![Page 20: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/20.jpg)
MOVING DATA
Data Packets
Addressing
Delivery Method
![Page 21: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/21.jpg)
A Media Access Control address (MAC address) is a unique
identifier assigned to network interfaces for communications on
the physical network segment.
The Address Resolution Protocol (ARP) is a telecommunication
protocol used for discovering the MAC Addresses of known
Internet Protocol (IP) addresses
LANLAN
00-07-95-b2-56-8500-07-95-b2-56-85
00-07-a2-b2-56-5600-07-a2-b2-56-56
00-07-95-a2-65-1000-07-95-a2-65-10
00-07-95-b2-56-6800-07-95-b2-56-68
BASIC NETWORKING - MAC ADDRESSES
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution
Protocol) messages over a local area network. This results in the linking of an attacker's MAC address
with the IP address of a legitimate computer or server on the network.
![Page 22: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/22.jpg)
LANLAN
00-07-95-b2-56-8500-07-95-b2-56-85
00-07-a2-b2-56-5600-07-a2-b2-56-56
00-07-95-a2-65-1000-07-95-a2-65-10
00-07-95-b2-56-6800-07-95-b2-56-68
80
BASIC NETWORKING – PORTS MACHINES LISTEN TO FOR DATA TRAFFIC
Port 80: WebPort 443: Secure webPort 1433: SQL DatabasePort 1521: Oracle Database
1433
Scan networks for these ports
to identify which servers are
offering which services
![Page 23: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/23.jpg)
BASIC NETWORKING – ROUTERS
LAN 1LAN 1
00-07-95-b2-56-8510.100.1.10
00-07-95-b2-56-8510.100.1.10
00-07-a2-b2-56-5610.100.1.11
00-07-a2-b2-56-5610.100.1.11
00-07-95-a2-65-1010.100.1.20
00-07-95-a2-65-1010.100.1.20
00-07-95-b2-56-6810.100.1.50
00-07-95-b2-56-6810.100.1.50
LAN 2LAN 2
192.168.0.20192.168.0.20
192.168.0.10192.168.0.10
192.168.0.12192.168.0.12
192.168.0.100192.168.0.100
Router
01-01-c2-a2-56-6510.100.1.1
192.168.0.1
1433
A router is a networking device that forwards data packets between
computer networks. Routers perform the traffic directing functions on the
Internet.
A data packet is typically forwarded from one router to another through
the networks that constitute the internetwork until it reaches its destination
node.
SQL ServerListening:1433
![Page 24: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/24.jpg)
MODELS AND PROTOCOLS
![Page 25: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/25.jpg)
OSI MODEL
• Developed by ISO – International Organization of Standardization
• Layered, each level sends to the layer above or below.
![Page 26: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/26.jpg)
BENEFITS OF OSI MODEL
• Common Language
• Acceptable Behavior
• Protocols: set of rules that dictates how computers communicate
over networks
• TCP/IP is a suite of protocols - de facto standard of the internet
![Page 27: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/27.jpg)
DATA FLOW – OSI MODEL
• Data encapsulation occurs as data travels
down the stack.
• Data DE-capsulation = stripping off layers
as the data travels up the stack.
![Page 28: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/28.jpg)
PACKETS
![Page 29: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/29.jpg)
TWO MODELS
![Page 30: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/30.jpg)
SWITCHED ENVIRONMENTS
![Page 31: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/31.jpg)
NONE-SWITCH ENVIRONMENTS
00-07-95-b2-56-8510.100.1.10
00-07-95-b2-56-8510.100.1.10
00-07-95-a2-65-1010.100.1.20
00-07-95-a2-65-1010.100.1.20
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8810.100.1.120
00-07-95-b2-56-8810.100.1.120
00-07-a2-b2-56-5710.100.1.111
00-07-a2-b2-56-5710.100.1.111
00-07-95-b2-56-9010.100.1.130
00-07-95-b2-56-9010.100.1.130
00-07-95-b2-56-9510.100.1.101
00-07-95-b2-56-9510.100.1.10100-07-a2-b2-56-56
10.100.1.11
00-07-a2-b2-56-5610.100.1.11
00-07-95-a2-65-1110.100.1.200
00-07-95-a2-65-1110.100.1.200
Broadcast Domain
All packets received by the hub are
transmitted out all ports.
![Page 32: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/32.jpg)
SWITCH ENVIRONMENTS
00-07-95-b2-56-8510.100.1.10
00-07-95-b2-56-8510.100.1.10
00-07-95-a2-65-1010.100.1.20
00-07-95-a2-65-1010.100.1.20
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8810.100.1.120
00-07-95-b2-56-8810.100.1.120
00-07-a2-b2-56-5710.100.1.111
00-07-a2-b2-56-5710.100.1.111
00-07-95-b2-56-9010.100.1.130
00-07-95-b2-56-9010.100.1.130
00-07-95-b2-56-9510.100.1.101
00-07-95-b2-56-9510.100.1.10100-07-a2-b2-56-56
10.100.1.11
00-07-a2-b2-56-5610.100.1.11
00-07-95-a2-65-1110.100.1.200
00-07-95-a2-65-1110.100.1.200
Broadcast Domain
Packets received by the switch are
transmitted out ports based on
destination mac addresses
![Page 33: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/33.jpg)
00-07-95-b2-56-8510.100.1.10
00-07-95-b2-56-8510.100.1.10
00-07-95-a2-65-1010.100.1.20
00-07-95-a2-65-1010.100.1.20
Switch
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8810.100.200.120
00-07-95-b2-56-8810.100.200.120
00-07-a2-b2-56-5710.100.200.111
00-07-a2-b2-56-5710.100.200.111
00-07-95-b2-56-9010.100.200.130
00-07-95-b2-56-9010.100.200.130
00-07-95-b2-56-9510.100.200.101
00-07-95-b2-56-9510.100.200.10100-07-a2-b2-56-56
10.100.1.11
00-07-a2-b2-56-5610.100.1.11
Switch
00-07-95-a2-65-1110.100.200.200
00-07-95-a2-65-1110.100.200.200
Router
Broadcast Domain 1 Broadcast Domain 2
Broadcast Mac: FF:FF:FF:FF:FF:FF Broadcast Mac: FF:FF:FF:FF:FF:FF
A broadcast domain is a logical division of a computer
network, in which all nodes can reach each other by
broadcast at the data link layer. - Wikipedia
![Page 34: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/34.jpg)
IP ADDRESSING
IP ADDRESSING IS THE LAYER ABOVE MAC ADDRESSING
![Page 35: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/35.jpg)
IP ADDRESSING
• What is it?
• Postal System for packets
• Street, City and ZIP code
• Network ID vs. Host ID
![Page 36: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/36.jpg)
IP ADDRESSING
• Private vs public addressing
• Internet Engineering Task Force’s RFC 1918 architecture sets three blocks of IP addresses for
private/internal (local area network) use
• Address ranges are not routed on the Internet
• Addresses require “Network Address Translation” or NAT to access the Internet
![Page 37: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/37.jpg)
BROADCAST DOMAIN
![Page 38: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/38.jpg)
00-07-95-b2-56-8510.100.1.10
00-07-95-b2-56-8510.100.1.10
00-07-95-a2-65-1010.100.1.20
00-07-95-a2-65-1010.100.1.20
Switch
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8810.100.200.120
00-07-95-b2-56-8810.100.200.120
00-07-a2-b2-56-5710.100.200.111
00-07-a2-b2-56-5710.100.200.111
00-07-95-b2-56-9010.100.200.130
00-07-95-b2-56-9010.100.200.130
00-07-95-b2-56-9510.100.200.101
00-07-95-b2-56-9510.100.200.10100-07-a2-b2-56-56
10.100.1.11
00-07-a2-b2-56-5610.100.1.11
Switch
00-07-95-a2-65-1110.100.200.200
00-07-95-a2-65-1110.100.200.200
Router
Broadcast Domain 1 Broadcast Domain 2
Broadcast IP: 10.100.200.255Broadcast IP: 10.100.1.255
Packet DST = 10.100.1.255
Packet SRC=10.100.200.130 (Spoofed)
![Page 39: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/39.jpg)
00-07-95-b2-56-8510.100.1.10
00-07-95-b2-56-8510.100.1.10
00-07-95-a2-65-1010.100.1.20
00-07-95-a2-65-1010.100.1.20
Switch
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8810.100.200.120
00-07-95-b2-56-8810.100.200.120
00-07-a2-b2-56-5710.100.200.111
00-07-a2-b2-56-5710.100.200.111
00-07-95-b2-56-9010.100.200.130
00-07-95-b2-56-9010.100.200.130
00-07-95-b2-56-9510.100.200.101
00-07-95-b2-56-9510.100.200.10100-07-a2-b2-56-56
10.100.1.11
00-07-a2-b2-56-5610.100.1.11
Switch
00-07-95-a2-65-1110.100.200.200
00-07-95-a2-65-1110.100.200.200
Router
Broadcast Domain 1 Broadcast Domain 2
Broadcast IP: 10.100.1.255
The router will change the DST mac address
to FF:FF:FF:FF:FF:FF
Packet DST = 10.100.1.255
![Page 40: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/40.jpg)
00-07-95-b2-56-8510.100.1.10
00-07-95-b2-56-8510.100.1.10
00-07-95-a2-65-1010.100.1.20
00-07-95-a2-65-1010.100.1.20
Switch
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8810.100.200.120
00-07-95-b2-56-8810.100.200.120
00-07-a2-b2-56-5710.100.200.111
00-07-a2-b2-56-5710.100.200.111
00-07-95-b2-56-9010.100.200.130
00-07-95-b2-56-9010.100.200.130
00-07-95-b2-56-9510.100.200.101
00-07-95-b2-56-9510.100.200.10100-07-a2-b2-56-56
10.100.1.11
00-07-a2-b2-56-5610.100.1.11
Switch
00-07-95-a2-65-1110.100.200.200
00-07-95-a2-65-1110.100.200.200
Router
Broadcast Domain 1 Broadcast Domain 2
Broadcast IP: 10.100.200.255Broadcast IP: 10.100.1.255
Each receiving machine will send a reply to
Packet DST=10.100.200.130
![Page 41: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/41.jpg)
00-07-95-b2-56-8510.100.1.10
00-07-95-b2-56-8510.100.1.10
00-07-95-a2-65-1010.100.1.20
00-07-95-a2-65-1010.100.1.20
Switch
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8810.100.200.120
00-07-95-b2-56-8810.100.200.120
00-07-a2-b2-56-5710.100.200.111
00-07-a2-b2-56-5710.100.200.111
00-07-95-b2-56-9010.100.200.130
00-07-95-b2-56-9010.100.200.130
00-07-95-b2-56-9510.100.200.101
00-07-95-b2-56-9510.100.200.10100-07-a2-b2-56-56
10.100.1.11
00-07-a2-b2-56-5610.100.1.11
Switch
00-07-95-a2-65-1110.100.200.200
00-07-95-a2-65-1110.100.200.200
Router
Broadcast Domain 1 Broadcast Domain 2
Broadcast IP: 10.100.200.255Broadcast IP: 10.100.1.255
Each receiving machine will send a reply to
Packet SRC=10.100.200.130
![Page 42: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/42.jpg)
NETWORK ARCHITECTURES
•Access costs, speed, flexibility and reliability
• Critical infrastructure
• Risk of downtime (loss of availability) ?
• Impact of downtime?
• Business Continuality Planning
• Role of Highly Available and Redundant networks
![Page 43: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/43.jpg)
00-07-95-b2-56-8510.100.1.10
00-07-95-b2-56-8510.100.1.10
00-07-95-a2-65-1010.100.1.20
00-07-95-a2-65-1010.100.1.20
Switch
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.12
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8510.100.1.13
00-07-95-b2-56-8810.100.200.120
00-07-95-b2-56-8810.100.200.120
00-07-a2-b2-56-5710.100.200.111
00-07-a2-b2-56-5710.100.200.111
00-07-95-b2-56-9010.100.200.130
00-07-95-b2-56-9010.100.200.130
00-07-95-b2-56-9510.100.200.101
00-07-95-b2-56-9510.100.200.10100-07-a2-b2-56-56
10.100.1.11
00-07-a2-b2-56-5610.100.1.11
Switch
00-07-95-a2-65-1110.100.200.200
00-07-95-a2-65-1110.100.200.200
Router 1 Router 2Router Cluster
Dual Connected switches
![Page 44: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/44.jpg)
DOMAIN NAME SYSTEM (DNS)
• Hostname-to-IP addressing translation: www.cnn.com to 151.101.32.73
![Page 45: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/45.jpg)
DOMAIN NAME SERVER (DNS)
• Hierarchical structure
• Root Servers
• Top-level domains
• Split-DNS
• Internal vs External facing
• Vulnerability to attack
![Page 46: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/46.jpg)
FIREWALLS
![Page 47: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/47.jpg)
FIREWALL ROLES AND PLACEMENT
• Placed at network borders
• Network Address Translation (NAT)
• Packet filtering
• IP-Address
• Port
• Application based
• Stateful inspection
• Reassembling packets first
• IPS Inspections
• All equal “overhead” processing
![Page 48: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/48.jpg)
ENCRYPTION
![Page 49: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/49.jpg)
ENCRYPTION
• Protecting data “in-transit”
• Becoming the standard for data
transmission and storage in large
companies
• Encryption – IPSEC and TLS
![Page 50: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/50.jpg)
ENCRYPTION BASICS
![Page 51: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/51.jpg)
AVOID USING CLEAR TEXT SERVICES
![Page 52: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/52.jpg)
ATTACKS
![Page 53: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/53.jpg)
ATTACK METHODOLOGY
Reconnaissance Scanning
Gaining Access
(Exploit)
Elevating Access
Exfiltration/
ModifyClearing Tracks
![Page 54: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/54.jpg)
ATTACK METHODOLOGY/COUNTER MEASURES
Reconnaissance Scanning
Gaining Access
(Exploit)
Elevating Access
Exfiltration/
ModifyClearing Tracks
System Patching
Password Policy
Least-privilege
Move logs off to
SIEMS
Port / Network
Level Filter
Firewall or ACL
System Patching
Password Policy
Least-privilege
Monitor IPFlows
Encryption
File Logging
Vulnerability
Patching
![Page 55: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/55.jpg)
DENIAL OF SERVICE ATTACKS (DOS)
• Rather than gaining access, deny access to others!
• Two Types DoS or Distributed DoS
• By preventing networks and servers from handling legitimate traffic, attackers deny
service.
• Overwhelm firewalls or servers with invalid traffic patterns that consume bandwidth,
memory or CPU resources.
• Distributed means leveraging others in the attack.
![Page 56: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/56.jpg)
HOW DOS WORKS
SYN attack: attacker ignored “syn/ack” return, each SYN
takes up a TCP connection on the server. Goal is to exhaust
TCP connection table.
Reflective DoS: spoof the sending IP address so return
syn/ack traffic attacks another IP.
Distributed DoS: Have multiple Zombie machines
in a BOT Net attack a single IP.
UDP attacks: flooding the pipes or links with traffic
Which does not need Three-Way Handshake.
Forces routers and firewalls to process useless traffic.
![Page 57: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/57.jpg)
HOW TO COUNTER DOS
• Anomaly detection
• Usual traffic patterns
• Network traffic which breaks rules
• Install an Anomaly detection appliance
• Turn on features on firewalls
• Not the same a signature based Intrusion Detection (IPS)
![Page 58: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/58.jpg)
INTRUSION DETECTION VS PREVENTION
• Monitor Mode
• Signature Based
![Page 59: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/59.jpg)
SIGNATURE VS BEHAVIOR
Signature-based
• Knowledge based
• Database of signatures
• Needs constant updates
• Zero-day attacks missed
Behavior-based
• Statistical or anomaly based
• Many false positives
• Compares activity to “normal” (Baselines)
![Page 60: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/60.jpg)
SUMMARY OF BEST PRACTICE STEPS
• Segment Hosts and Broadcast Domains (vlans, switches, routers)
• Know where your data is and classify it (Data classification standards, policy)
• Control which hosts can talk. (Router Access Control Lists or Firewall rules)
• Reduce exposure to untrusted networks (Firewalls)
• Good host hygiene. (Patch Management, vulnerability management)
• Know your own network (Discover scans to look for new hosts … usually not patched!)
• Protecting Data (Encryption at rest and Encryption in-transit)
![Page 61: Protecting information assets - Temple MIS...x Cyber Kill Chain x Well -known ports x Encapsulation x Connection vs connectionless x Three -way handshake x Packet Analysis x What is](https://reader036.fdocuments.us/reader036/viewer/2022070813/5f0c0cd07e708231d4338011/html5/thumbnails/61.jpg)