Module 3: Network Security

The cybersecurity cube:

Security principles

The first dimension of the cybersecurity cube identifies the goals to protect cyberspace. The foundational principles of confidentiality, integrity, and availability of data provide a focus which enables the cybersecurity expert to prioritize actions when protecting any networked system.

• Data confidentiality prevents the disclosure of information to unauthorized people, resources, or processes.
• Data integrity refers to the accuracy, consistency, and trustworthiness of data.
• Data availability ensures that information is accessible by authorized users when needed.

Data states

The cyberspace domain contains a considerable amount of critically important data. But in what state? Efective cybersecurity requires the safeguarding of data in all 3 states. We can't focus only on protecting data that is being processed, nor just on data in storage. The second dimension of the cybersecurity cube represents the 3 possible data states:

• Data in transit
• Data at rest or in storage
• Data in process

Safeguards

The third dimension of the cybersecurity cube defines the pillars on which we need to base our cybersecurity defenses in order to protect data and infrastructure in the digital realm. These are technology, policy and practices, and improving education, training and awareness in people. Cybersecurity professionals must use a range of different skills and disciplines available to them when protecting data and infrastructure in cyberspace.

---

Network security consists of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Most organizations follow the CIA information security triad. Since it forms the foundation of cybersecurity practice, it is important to have a detailed understanding of the 3 principles:

• Confidentiality: Only authorized individuals, entities, or processes can access sensitive information. It may require using cryptographic encryption algorithms such as AES to encrypt and decrypt data.
• Integrity: Refers to protecting data from unauthorized alteration. It requires the use of cryptographic hashing algorithms such as SHA.
• Availability: Authorized users must have uninterrupted access to important resources and data. It requires implementing redundant services, gateways, and links.

--

To accomplish confidentiality without using encryption, tokenization is a substitution technique that can isolate data elements from exposure to other data systems. A random value with no mathematical relationship replaces original data. Outside the system, a token has no value and is meaningless. Tokenization can preserve the data format (its type and data length), which makes it useful for databases and card payment processing.

Rights management covers both digital rights management (DRM) and information rights management (IRM). Both protect data from unauthorized access by using encryption. DRM protects copyrighted material like music, films, or books. When any such content appears in digital form (CD, mp3, e-book), encrypted, so the media cannot be copied without the decryption key. The decryption key is available only to licensed parties.

IRM is used with email and other files that are relevant to the activities and communications of an organization. When this information is shared with others, IRM allows the document owner, the organization, or one of its members to control and manage access to the document.

--

Integrity is the accuracy, consistency, and trustworthiness of data across its entire lifecycle. Data undergoes several operations, such as capture, storage, retrieval, update, and transfer. Data must remain unaltered by unauthorized entities during all these operations. Methods used to ensure data integrity include hashing, data validation checks, data consistency checks, and access controls. Data integrity systems can include one or more of these methods. The importance of data integrity varies based on how an organization uses its data:

• Critical level of need: healthcare orgs
• High level of need: e-commerce, analytics-based org
• Mid level of need: online sales and search engines
• Low level of need: blogs, forums, personal pages on social media

--

Availability refers to the need to make data accessible to all authorized users whenever they need it. Cyberattacks and system failures can prevent access to information, systems, and services. There are many measures that organizations can implement to ensure the availability of their services and systems:

• Equipment maintenance
• Operating systems and software upgrades and patches
• Backup testing
• Disaster planning
• New technology implementations
• Activity monitoring
• Availability testing

-----

Physical access controls are actual barriers deployed to prevent direct physical contact with systems. For example, physical access control determines who can enter (or exit), where they can enter (or exit), and when they can enter (or exit). Here are some examples of physical access controls:

• Guards who monitor the facility.
• Fences that protect the perimeter.
• Motion detectors that detect moving objects.
• Laptop locks that prevent theft of portable equipment.
• Locked doors that prevent unauthorized access.
• Swipe cards that allow authorized access to restricted areas.
• Guard dogs that protect the facility.
• Video cameras that monitor a facility by collecting and recording images.
• Mantrap-style entry systems that stagger the flow of people into the secured area and trap any unwanted visitors.
• Alarms that detect intrusion.

Logical access controls are hardware and software solutions used to manage access to resources and systems. These technology-based solutions include tools and protocols that computer systems use for identification, authentication, authorization, and accounting. Logical access control examples include:

• Encryption is the process of taking plaintext and creating ciphertext.
• Smart cards have an embedded microchip.
• Passwords are protected strings of characters.
• Biometrics are users’ physical characteristics.
• Access control lists (ACLs) define the type of traffic allowed on a network.
• Protocols are sets of rules that govern the exchange of data between devices.
• Firewalls prevent unwanted network traffic.
• Routers connect at least two networks.
• Intrusion detection systems monitor a network for suspicious activities.
• Clipping levels are certain allowed thresholds for errors before triggering a red flag.

---

Administrative access controls are the policies and procedures defined by organizations to implement and enforce all aspects of controlling unauthorized access. Administrative controls focus on the following personnel and business practices:

• Policies are approved ideas or actions that guide behavior.
• Procedures are the detailed steps required to perform an activity.
• Hiring practices define the steps an organization takes to find qualified employees.
• Background checks are a type of employee screening that includes verification of past employment, credit history, and criminal history.
• Data classification categorizes data based on its sensitivity.
• Security training educates employees about the security policies at an organization.
• Reviews evaluate an employee’s job performance.

---

The concept of administrative access controls involves 3 security services: authentication, authorization, and accounting (AAA). These services provide the primary framework to control access, preventing unauthorized access to a computer, network, database or other data resources.

Authentication

This is the verification of the identity of each user, to prevent unauthorized access. Users prove their identity with a username or ID. In addition, users need to verify their identity by providing one of the following:

• Something they know (such as a password)
• Something they have (such as a token or card)
• Something they are (such as a fingerprint)

In the case of 2FA, which is increasingly becoming the norm, authentication requires a combination of 2 of the above rather than just one.

Authorization

Authorization services determine which resources users can access, along with the operations that users can perform. Some systems accomplish this by using an ACL. An ACL determines whether a user has certain access privileges once the user authenticates. Just because you can log onto the corporate network does not mean that you have permission to use the high-speed color printer, i.e.

Authorization can also control when a user has access to a specific resource. 

Accounting

Not related to financial accounting, accounting in AAA keeps track of what users do, including what they access, the amount of time they access it, and any changes they make. Sysadmins can set up computer policies to enable system auditing. Cybersecurity accounting tracks and monitors user activities in real time.

---

Identification enforces the rules established by the authorization policy. Every time access to a resource is requested, the access controls determine whether to grant or deny access. A unique identifier ensures the proper association between allowed activities and subjects. A username is the most common method used to identify a user. A username can be an alphanumeric combination, a PIN, a smart card, or biometric (such as a fingerprint/retina scan/voice recognition). A unique identifier ensures that a system can identify each user individually, therefore allowing an authorized user to perform the appropriate actions on a particular resource.

--

Federated identity management (FIM) refers to multiple enterprises that let their users use the same identification credentials to gain access to the networks of all enterprises in the group. While FIM provides convenience to users and administrators, if the system is exploited by hackers, they will have access to many systems instead of just one. Generally speaking, a federated identity links a subject’s electronic identity across separate identity management systems. This could enable access to several websites using the same social login credentials, for example. The goal of federated identity management is to share identity information automatically across enterprise boundaries. From the individual user’s perspective, this means a single sign-on to multiple networks.

It is imperative that organizations scrutinize the identifying information that is shared with partners, even within the same corporate group. The sharing of social security numbers, names, and addresses may allow identity thieves the opportunity to steal this information from a partner with weak security to perpetrate fraud. The most common way to protect federated identity is to tie user identity to authorized devices such as workstations and phones.