SEC
Network Security
Understanding Threats, Attack Vectors, and Defense-in-Depth Mechanisms
Contents
In today's connected world, networks are the lifelines of businesses, governments, and society. Securing a network isn't just about installing firewalls or antivirus software; it's about understanding the full spectrum of risks and implementing a comprehensive, layered defense strategy.
Cybercriminals now operate within organized crime syndicates, nation-state cyber units, and underground marketplaces where exploits, malware, and stolen credentials are bought and sold. Their tools range from automated malware kits to AI-enhanced evasion techniques.
Core Security Concepts
| Term | Definition |
|---|---|
| Asset | Anything of value to the organization; data, people, devices, or infrastructure |
| Vulnerability | A weakness in a system or design that could be exploited by a threat |
| Threat | A potential danger that could exploit a vulnerability |
| Exploit | A method or tool that takes advantage of a vulnerability |
| Risk | The likelihood and potential impact of a threat exploiting a vulnerability |
| Mitigation | Actions taken to reduce the risk or impact of a threat |
| Threat Actor | Any person or group that causes or attempts a cyberattack |
Threat Actors and Attack Vectors
Threat actors fall into categories based on their intent, skills, and authorization level:
- White Hat Hackers: Ethical hackers who find vulnerabilities to improve security; authorized penetration testers and security researchers.
- Black Hat Hackers: Malicious actors seeking financial or political gain; responsible for the vast majority of cybercrime.
- Gray Hat Hackers: Operate in legal gray zones; may expose flaws without authorization but without malicious intent.
- Nation-State Actors: Government-sponsored groups conducting espionage, sabotage, or influence operations against critical infrastructure.
- Insider Threats: Employees or contractors; either malicious or negligent; who expose data through privileged access.
Common Attack Vectors
🌐 External
Phishing & Social Engineering
Fake emails, spear phishing, pretexting, and baiting that manipulate humans into revealing credentials or installing malware.
🌐 External
Exposed Services
Open ports, unpatched services, default credentials, and internet-facing management interfaces exploited through automated scanning.
🏠 Internal
Insider & Device Risk
Disgruntled employees, unsecured USB devices, shadow IT, and insecure personal devices connecting to corporate networks.
🏠 Internal
Denial of Service
DoS and DDoS attacks that overwhelm systems to render them unusable; a common vector against web services and critical infrastructure.
Malware Types
| Type | Behaviour | Delivery Method |
|---|---|---|
| Virus | Attaches to files; requires human action to spread | Email attachments, infected media |
| Worm | Self-replicates across networks without user interaction | Network vulnerabilities, open shares |
| Trojan | Disguises as legitimate software to gain access | Software downloads, fake updates |
| Ransomware | Encrypts data and demands payment for decryption key | Phishing, exploit kits, RDP brute force |
| Rootkit | Gains root-level access and hides its presence | Exploits, physical access |
| Spyware | Silently monitors and exfiltrates user data | Bundled software, drive-by downloads |
Protocol and Service Vulnerabilities
Core networking protocols were not designed with security in mind and contain well-known weaknesses:
- ARP Spoofing: Attacker sends fake ARP replies to redirect traffic through a malicious device (man-in-the-middle). Mitigated by Dynamic ARP Inspection (DAI).
- DNS Tunneling: Hiding data within DNS queries to bypass firewalls and exfiltrate data. Mitigated by DNS monitoring and response policy zones.
- DHCP Spoofing: Rogue DHCP server provides false gateway/DNS to redirect or disable traffic. Mitigated by DHCP Snooping on switches.
- TCP SYN Flood: Exploits the three-way handshake to exhaust server resources. Mitigated by SYN cookies and rate limiting.
Defense in Depth
A layered approach combines multiple security measures at different levels so that if one layer fails, others remain:
🔥 Layer 1
Firewalls & ACLs
Filter inbound and outbound traffic based on rules. Next-generation firewalls add application awareness and deep packet inspection.
🛡️ Layer 2
IPS / IDS
Intrusion Prevention Systems detect and block malicious activity in real-time. IDS alerts without blocking; useful for monitoring.
🔐 Layer 3
Cryptography
Hashing (SHA-256), HMAC, symmetric (AES), and asymmetric (RSA, ECC) encryption secure data at rest, in transit, and for authentication.
👁️ Layer 4
Monitoring & SIEM
Centralized log collection, correlation, and alerting. SIEM platforms detect patterns across events that no single tool would catch alone.
| Cryptographic Method | Type | Purpose | Examples |
|---|---|---|---|
| Hashing | One-way | Data integrity verification | MD5, SHA-1, SHA-256 |
| HMAC | Keyed hash | Integrity + authentication | HMAC-SHA256 |
| Symmetric Encryption | Same key | Bulk data encryption | AES-256, 3DES |
| Asymmetric Encryption | Key pair | Key exchange, digital signatures | RSA, DH, ECC |
Best Practices
Key Recommendations
- Apply software and firmware updates regularly; 67% of breaches exploit known, unpatched vulnerabilities
- Use strong, unique passwords with multi-factor authentication on all accounts
- Educate staff about social engineering; humans are the most exploited attack vector
- Monitor network logs and traffic for anomalies; deploy a SIEM for correlation
- Perform regular vulnerability scans and penetration tests on critical systems
- Implement network segmentation to limit lateral movement after a breach
- Disable CDP/LLDP on external-facing interfaces to prevent information leakage
- Deploy DHCP Snooping, Dynamic ARP Inspection, and IP Source Guard on switches
Subscribe
1 Comment
Oldest
9 months ago