Network Security

NETWORK + N10-009 MODULE 4

Topics
4.1 Network Security Concepts
4.2 Network Attacks
4.3 Network Defense
 Common Security Terminology
Encryption
4.1 Network Certificates
Security Identity and Access Management (IAM)
Concepts Authentication
Network + N10-009 Module 4
Authorization
Physical Security
Deception Technologies
Audits and Regulatory Compliance
Network Segmentation Enforcement
Network Security Concepts Review
Common Security
Terminology
CIA Triad
Confidentiality
◦ Protects data and systems from unauthorized access or disclosure
◦ Typically implemented through encryption, access controls and permissions

Integrity
◦ Ensures data and systems are accurate, consistent, and protected from
unauthorized modification, deletion, or corruption
◦ Typically implemented through digital signatures and hashing

Availability
◦ Ensures that data and systems can still be accessed and used by authorized
users and systems when needed
◦ Typically implemented through high availability measures such as
redundancy
Security, Functionality, Usability
These attributes are interlocked
Security is at odds with nearly every other
organizational process
Increasing security usually requires decreasing
functionality and usability
You need to find an acceptable balance between these
three
Essential Terminology
Term Definition
Vulnerability A weakness or flaw in a system
Threat Anything that can potentially violate the security of a system or organization
Risk The probability that a vulnerability will be exploited, or a threat will actually materialize
Exploit An actual mechanism for taking advantage of a vulnerability
Payload The part of an exploit that actually damages the system or steals the information
Zero-day attack An attack that occurs before a vendor is aware of a flaw or is able to provide a patch for
that flaw
Control Any policy, process, or technology set in place to reduce risk
Physical control A tangible security measure that prevents unauthorized access to physical areas or assets
Logical control A software-based security measure that restricts access to computer systems and data
Essential Terminology (cont’d)
Term Definition
Mitigation Any action or control used to minimize damage in the event of a negative event
Principle of Least A security concept in which users or systems are granted the minimum level of
Privilege access or permissions that they need to perform their tasks, and nothing more
Non-repudiation • A security concept that prevents the denial of involvement or responsibility
• Usually accomplished by applying a digital signature to a documents
• Provides evidence of the origin and content of the message or document
• Useful for legal, financial, or contractual purposes
Accountability Ensures that responsible parties are held liable for actions they have taken
Authenticity The proven fact that something is legitimate or real
Gap analysis • A thorough analysis of an organization's security defenses
• Identifying “gaps” between the current state of security and the desired state
• The goal is to reduce the attack surface to prevent breaches
Defense in Depth
Multiple layers of security controls
Provides redundancy in the event of a control failure policy
Each layer helps shrink the overall attack surface physical
80 / 20 Rule
You can address 80% of your risk with 20% of the effort
Mitigate 80% of vulnerabilities by focusing on top 20% of technical controls:
◦ Remove anything unnecessary including services, protocols, and defaults
◦ Keep patch levels, anti-malware, and IDS signatures current
◦ Implement strong authentication and access control

Works even better within defense in depth

◦ 80/20 rule at each layer
◦ The attack surface at each layer then starts out smaller
Encryption
Encryption
AKA cryptography
The process of converting data in its original form (such as ordinary plain text) into something
unintelligible, and vice-versa
◦ Used to protect data confidentiality
◦ When encrypted, the data can be safely stored, used, or transmitted across a network
◦ Even if the data is stolen or intercepted, the attacker cannot read it

Can protect data in any of its three states:

◦ At rest (stored on storage media)
◦ In transit (actively being transmitted across a network)
◦ In use (loaded in RAM or being processed on a CPU)
Components of Cryptography
Key – anything that can be reduced to Algorithm (aka cipher)
a number – introduces an unknown Mathematical formula for
variable into the scrambling formula scrambling data

“Plain text” Ciphertext –

unencrypted encrypted data
data
Types of Encryption
Symmetric Encryption
◦ Uses the same key for both encryption and decryption
Asymmetric Encryption
◦ Two related keys
◦ Encrypt with public key – anyone can have a copy of your public key
◦ Decrypt with private key – only you have a copy of your private key
Hashing
◦ One way “encryption” – infeasible to decrypt
◦ Fixed length output for any length input
◦ No key
◦ Meant for data integrity
◦ Data itself is not encrypted
◦ Hashed output accompanies the data for anyone to verify
Symmetric Encryption Example
Asymmetric Encryption Example

Public Key Private Key

ENCRYPTION DECRYPTION

ORIGINAL DATA SCRAMBLED DATA ORIGINAL DATA

Hashing Example

Plain Text Hash Function Hashed Output

Certificates
Digital Certificate
A public key on a document
◦ Includes some metadata about the key
◦ The file that contains the certificate typically has the extension .cer or .der
◦ Most certificates follow the X.509 standard

Issued by a certification authority to a user, device, or service account

When first issued, will be accompanied by the related private key
◦ The private key itself is typically encrypted with a password to protect it
◦ The file containing a private keys typically has the extension .pfx or .pvk
Public Key Infrastructure
A trusted system for generating and distributing certificates
The Root Certification Authority (CA) is the highest authority
◦ It self-signs its own root certificate

Root CA issues certificates to digitally sign subordinate CAs

The subordinate CAs issue certificates to users and devices

Popular Root CAs include: VeriSign,

Digicert, Godaddy, Microsoft, COMODO,
Norton, Symantec, Thawte, Entrust
Self-Signed Certificates
Not issued by a certification authority
You generate your own public/private key pair
Good for local use when you trust all devices or parties
◦ Commonly used for local SSH connections
Generating Your Own Key Pair Example

Private Key

Public Key
Digital Signature
Proves the integrity and identity of the data it signs
◦ Uses both the signer’s private key and a hash
◦ Simulates security properties of a written signature in digital form

Can be applied to documents, code, files, network packets, certificates, and other data
◦ Attached to the original
◦ Does not encrypt the original
◦ Can be verified using the signer’s associated public key

Provides non-repudiation
◦ Since it uses the signer’s private key, the signer cannot disavow it
◦ You can be legally liable for documents that contain your digital signature
Identity and Access
Management (IAM)
Identity and Access Management (IAM)
A framework of policies, technologies, and processes used to manage digital identities and
control access to resources
Ensures the right individuals access the right resources at the right times and for the right
reasons
IAM includes two critical components:
◦ Authentication: Verifying a user's identity to ensure they are who they claim to be.
◦ Authorization: Determining what resources a verified user is allowed to access and what actions they
can perform

Supports compliance by integrating features like least privilege, role-based access control
(RBAC), multi-factor authentication (MFA), and Single Sign-On (SSO)
Authentication
Authentication
The process of verifying a user's identity
Confirms users are who they say they are
Forms the first layer of defense in cybersecurity
Protects against unauthorized access and data
breaches
Common Authentication Mechanisms
Local Authentication
◦ The local device stores your credentials
◦ You log into that device only
Multifactor Authentication (MFA)
◦ Adds layers of security beyond passwords
Time-Based Authentication
◦ Ensures credentials are valid for limited, secure timeframes
AAA (Authentication, Authorization, and Accounting)
◦ A framework for managing access and usage
LDAP Authentication
◦ Used by directory services to centralize identity management and authentication across systems
Single Sign-On (SSO)
◦ Simplifies access to multiple systems by using one set of credentials
Local Authentication
Authentication credentials are stored on the device
You log into that device only
Allows you to access resources on that device only
Multifactor Authentication
Two or more forms of authentication are required to log in
Examples:
Username and password + One-time code (OTC) sent to the user’s phone
Username and password + biometric authentication
Smart card + PIN
RSA token generated number + PIN
Typical Multifactor Authentication Example
Time-Based Authentication
A security mechanism that uses time-sensitive, one-time passwords (OTPs) or tokens to verify
a user's identity
Ensures that authentication credentials are only valid for a limited time, reducing the risk of
unauthorized access due to credential theft or reuse
Typically used as part of two-factor authentication
The user enters both their regular credentials and the time-
sensitive token when they log on
Can include:
◦ Synchronized codes generated by an authentication app or
hardware token
◦ Time-limited codes sent to the user via SMS or email
Authentication, Authorization, Accounting (AAA)
Architectural framework to provide, enforce, and audit access to a network or compute
resources
Authenticates and authorizes the user based on user’s credentials
Authentication requests are forwarded by wireless access points, network switches, VPN
servers, or other connection points to a central AAA server
The AAA server then typically forwards authentication requests to a directory service server
If the user is successfully authenticated, then the AAA server instructrs the WAP/switch/VPN
server to allow the client onto the network
Common AAA protocols include:
◦ RADIUS – vendor neutral
◦ TACACS+ - Cisco proprietary
AAA Example
LDAP Authentication
LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory
services over a network
Commonly used for authentication
◦ Centralizes the storage of user credentials
◦ Allows systems and applications to validate user identities against a single source of truth
Vendor-neutral with wide support
No native encryption - TCP port 389
LDAPS (SSL/TLS encrypted) – TCP 636
Common implementations:
◦ Microsoft Active Directory
◦ OpenLDAP
◦ Apache Directory
◦ Red Hat Directory Server
Active Directory Login Screen Example
Single Sign-on (SSO)
A generic term for centralized user authentication and
authorization services
Allows users to use a single credential across multiple
systems
Systems can be within a single organization, or across
federated organizations
Makes it easier for users to do their job
◦ They no longer have to log on multiple times or remember
multiple passwords

Reduces the amount of time IT spends on password resets

Common SSO Services
Type Description
OpenID Connect (OIDC) • A newer authentication protocol built on top of OAuth 2.0
• Ideal for modern smartphone applications
• Enables a user to log in to a service using their Facebook or Google account rather
than entering a separate set of user credentials
Security Assertion Markup • An older authentication standard that's been the SSO go-to for decades
Language (SAML) • Still trusted and used by enterprise and government organizations
• More feature-rich than OIDC, but harder to use for authenticating modern
applications
Open Authorization (OAuth) • An open-standard authorization protocol
• Allows users to grant third-party applications access to their protected resources
without sharing their passwords or other credentials
• Tells the website it’s ok to share the user’s data with the app
OIDC and SAML Analogy

Identity Provider Service Provider

OIDC Examples
SAML Example
OAuth Example
Bob

Spotify Facebook Login

Bob’s FB Profile
Authorization
Authorization
Occurs after successful authentication
Gives authenticated users permission to access a resource
Two key components of authorization are:
◦ Principle of Least Privilege
◦ Role-Based Access Control (RBAC)
Authentication vs. Authorization
Principle of Least Privilege
Users are granted the minimum permissions required to perform their job function
Reduces attack surface by limiting access to critical systems and sensitive data
Example: A marketing employee can view analytics but cannot access financial records or server
configurations
Role-Based Access Control (RBAC)
Access permissions are assigned based on roles within an organization rather than individuals
◦ Roles are often implemented as user groups
◦ When a user joins a group, they receive the permissions of that role
◦ When they leave that group, they no longer have those permissions

Simplifies management and enforces consistency in access policies

◦ You don’t have to keep track of giving each individual user permissions
◦ You can let department managers add and remove users from a role
◦ While you give that role permissions on various resources

Example: "HR Manager" role has access to employee records, while "IT Administrator" role has
access to network configurations
RBAC Example
Geofencing
An authorization enforcement mechanism
A virtual perimeter around a physical location, defined by GPS, Wi-Fi, RFID, or cellular signals
Triggers actions or restrictions when a device or user enters or exits the defined boundary
◦ The device must have geolocation enabled

Examples:
◦ Turn microphone and camera off when entering a sensitive area
◦ Allow access to resources only from authorized locations (e.g., office premises)
◦ Block sensitive data access from high-risk regions
◦ Trigger alerts for unauthorized attempts to access systems from outside the defined area
◦ Enforce location-based rules for VPN or cloud access
Geofencing Example
Physical Security
Physical Security
The foundation of safeguarding any organization's assets
Ensures protection against unauthorized access, theft, and physical threats
Effective physical security measures, such as surveillance cameras and secure locking
mechanisms, play a critical role in monitoring, controlling, and restricting access to sensitive
areas, enhancing overall safety and compliance
Physical Security Examples
Cameras
Extend guard presence and surveillance coverage
Security cameras can have a wide variety of features
You can tailor your surveillance system to address
specific security needs and environmental challenges
Security Camera Features
Pan-Tilt-Zoom (PTZ)
Motion-Activated
Wireless
Cloud-storage and remote access
Low-Light/Infrared (IR)
Thermal - Detect heat even when view is obscured
Wide Dynamic Range (WDR) for high contrast
High-Resolution Cameras (HD/4K)
360-Degree view
Camera features depend on the product
License Plate Recognition (LPR)
Locks
Provide a critical first line of defense by restricting unauthorized access to buildings, rooms, and
equipment
Use tamper-resistant, pick-proof locks for critical areas such as server rooms or data centers
Implement keycard or biometric locks for tracking and restricting access
Combine physical locks with additional barriers like gates, turnstiles, or cabinets
Maintain strict control over codes and physical keys, including tracking issuance and requiring
key returns upon employee departures
Ensure a fail-safe mechanism for locks in emergencies, such as power outages or fire alarms
◦ Allows a person to escape a locked area if the power goes out or the lock fails
Lock Examples
Deception
Technologies
Honeypot
A decoy intended to look like a
legitimate, vulnerable system
Deployed next to your genuine
digital assets
Designed to make a would-be
attacker waste their time, while you
collect information about the attack
Honeynet
A decoy network that contains one or more honeypots
Looks like a real network with multiple systems
Typically hosted on one or just a few servers
Can be placed in the:
◦ DMZ (distract external attackers)
◦ internal network (detect insider threats and Advanced Persistent Threats (APTs)

honeynet honeynet

Internet
Private Network DMZ
Audits and
Regulatory
Compliance
Ensuring Data Protection and Standards Adherence
Audits and compliance are essential for adhering to legal and industry standards, ensuring data
protection and minimizing risks
Key focus areas include:
◦ Data locality – where data is stored geographically
◦ Data sovereignty – the legal jurisdiction governing data
◦ Regulatory frameworks like GDPR and PCI DSS

These elements help organizations navigate the complexities of global data management and
maintain regulatory compliance
Data Locality
Refers to the physical location where data is stored
Focuses on the geographical placement of data (e.g., whether the data is stored in a data center
in the United States, Europe, or Asia)
Often linked to technical and performance considerations, such as minimizing latency, ensuring
faster access, or adhering to a customer's preference for local hosting
Example Use Case: A company might store customer data in a data center close to the
customers it serves to improve application performance and reduce network latency
Data locality also directly impacts data sovereignty
◦ The physical location of data determines which jurisdiction’s laws and regulations govern its access,
storage, and processing
Data Sovereignty
Refers to the legal and regulatory control that a country or jurisdiction has over the data stored within its
borders, regardless of who owns or operates the data center
Regulates how data should be governed and secured, specific to the country where it was collected and
not where the collector resides
With the rise of cloud computing, over 100 countries have passed some type of data sovereignty law
◦ Example: Data collected about a country’s citizens can only be stored (geo-located) on servers in that country

Data sovereignty complicates data storage and processing for

global enterprises and cloud providers
◦ Introduces legal, operational, and technical challenges due to
differing regulations across jurisdictions
General Data Protection Regulation (GDPR)
EU residents have the right to control their personal data, including the right to access, rectify,
erase, restrict, and transfer it
Companies that collect and process EU citizen data must comply with GDPR regulations, which
include:
◦ Obtaining explicit consent
◦ Implementing appropriate security measures
◦ Reporting data breaches within 72 hours
◦ Applies even if the data is stored in a non-EU country
Payment Card Industry Data Security Standards (PCI DSS)

A unified security standard for the payment card industry

The main goal is to protect cardholder data and reduce the risk of credit card fraud
An industry standard rather than a legal requirement
Compliance is enforced through contracts between merchants, acquiring banks, and payment
processors:
◦ Merchants who wish to accept credit card payments must agree to adhere to PCI DSS as part of their
agreements with these entities
◦ Non-compliance can lead to penalties from credit card brands, higher transaction fees, or the loss of the
ability to process card payments
Network
Segmentation
Enforcement
Network Segmentation
Creating network segments as “security zones” is an excellent way to group devices with the
same security needs
◦ Zones should be created based on security needs
◦ All devices in the same zone should have the same security requirements
Enforcement can be:
◦ Physical
◦ Air-gapped in same environment
◦ Highly secure but still at risk of compromise through:
◦ Removable media
◦ Environmental controls compromise
◦ Completely isolated
◦ Logical
◦ Separated by VLANs, firewalls, and packet-filtering routers
◦ Still at risk of misconfiguration or VLAN hopping
Segmentation Trust Levels

Completely isolated Highest

Air-gapped
Very High
common environment

Physical segments Higher

Logical segments
High
VLANs, Firewalls
Industrial Control Systems (ICS)
A general term that refers to a control system and related instrumentation (sensors, actuators)
Used for industrial process monitoring and control
A single ICS system can range in size from a few controllers to thousands of connected field
systems
Found in nearly every industrial sector and critical infrastructure including manufacturing,
transportation, energy, and water treatment
ICS is a subset of IoT
Typically separated from the corporate network via firewall
ICS Example
Supervisory Control and Data Acquisition (SCADA)
Centralized control system for ICS
Long distance monitoring and control of field sites
Saves time and effort
◦ Technicians don’t have to travel a long distance to
the field site to take measurements or apply settings

Network communications can be analog (POTS),

cellular or digital (TCP/IP)
SCADA Operator Demo / Example

https://www.jointjs.com/demos/scada
ICS / SCADA Segmentation Example
ICS Security Considerations
Consider the trade-offs of convenience vs security when connecting to an ICS/SCADA system
◦ Most SCADA systems cannot be updated
◦ SCADA manager systems typically connect to field devices via cellular or Wi-Fi
Most SCADA systems are legacy
◦ They are designed to be long-lived and highly available
◦ They cannot be easily taken down or updated
ICS systems often use insecure proprietary protocols
◦ Many do not support encryption and cannot be updated
ICS security systems focus on detection, rather than prevention
◦ The risk of inadvertently blocking critical processes is too great
Supervisor workstations could themselves be vulnerable
Network Security
Concepts Review
Review
The CIA triad consists of confidentiality, integrity, and availability
Confidentiality protects data and systems from unauthorized access or disclosure
Confidentiality is typically implemented through encryption, access controls, and permissions
Integrity ensures data and systems are accurate, consistent, and protected from unauthorized
modification, deletion, or corruption
Integrity is typically implemented through digital signatures and hashing
Availability ensure that data and systems can be accessed and used by authorized users and
systems when needed
Availability is typically implemented through high availability measures such as redundancy
Review (cont’d)
Security is at odds with nearly every other organizational process
Increasing security usually requires decreasing functionality and or usability
Defense in depth is a security approach in which multiple layers of security controls are applied
to a protected asset
Each layer added to defense in depth helps shrink the overall attack surface
The 80/20 rule states that you can address 80% of your risk with 20% of the effort
Review (cont’d)
Term Definition
Vulnerability A weakness or flaw in a system
Threat Anything that can potentially violate the security of a system or organization
Risk The probability that a vulnerability will be exploited, or a threat will actually materialize
Exploit An actual mechanism for taking advantage of a vulnerability
Payload The part of an exploit that actually damages the system or steals the information
Zero-day attack An attack that occurs before a vendor is aware of a flaw or is able to provide a patch for
that flaw
Control Any policy, process, or technology set in place to reduce risk
Physical control A tangible security measure that prevents unauthorized access to physical areas or assets
Logical control A software-based security measure that restricts access to computer systems and data
Review (cont’d)
Term Definition
Mitigation Any action or control used to minimize damage in the event of a negative event
Principle of Least A security concept in which users or systems are granted the minimum level of
Privilege access or permissions that they need to perform their tasks, and nothing more
Non-repudiation • A security concept that prevents the denial of involvement or responsibility
• Usually accomplished by applying a digital signature to a documents
• Provides evidence of the origin and content of the message or document
• Useful for legal, financial, or contractual purposes
Accountability Ensures that responsible parties are held liable for actions they have taken
Authenticity The proven fact that something is legitimate or real
Gap analysis • A thorough analysis of an organization's security defenses
• Identifying “gaps” between the current state of security and the desired state
• The goal is to reduce the attack surface to prevent breaches
Review (cont’d)
Encryption is the process of converting data in its original form (such as ordinary plain text) into
something unintelligible, and vice versa
Data can be protected in any of its three states:
◦ At rest (stored on storage media)
◦ In transit (actively being transmitted across the network)
◦ In use (loaded in RAM or being processed on a CPU)

The four components of cryptography are

◦ unencrypted data
◦ the key
◦ the algorithm (a.k.a. cipher)
◦ and ciphertext (encrypted data)
Review (cont’d)
Symmetric encryption uses the same key for both encryption and decryption
Asymmetric encryption uses two related keys, the public key and the private key
The public key is used to encrypt data, and anyone is allowed to have a copy of the public key
The private key is used to decrypt data, and only you should have a copy of the private key
Hashing is a one-way form of encryption that is infeasible to decrypt
It provides a fixed length output for any length input
Hashing does not use a key, and does not encrypt the data itself
Hashing assures data integrity
Hashed output typically accompanies the original data for anyone to verify
Review (cont’d)
A digital certificate is a public key on a document
Most certificates follow the X.509 standard
Certificates are issued by a certification authority to a user, device, or service account
When first issued, the digital certificate will be accompanied by the related private key
Public key infrastructure is a trusted system for generating and distributing certificates
The root certification authority is the highest authority in PKI
The Root CA will sign its own root certificate
The Root CA then issues certificates to digitally sign subordinate CAs
The subordinate CAs issue certificates to end users and devices
Review (cont’d)
A self-signed certificate is one that is generated by the user for private use
Self-signed certificates are not issued by a certification authority
A digital signature uses a private key to prove the integrity and identity of the data it signs
The digital signature uses both the signers private key and a hash
Digital signatures can be applied to all manner of data
Digital signatures are attached to the original, and do not encrypt the original
Digital signatures can be verified using the signers associated public key
Digital signatures provide non-repudiation
Since the signer used their private key, they cannot disavow what they signed
Review (cont’d)
Identity and access management (IAM) is a framework used to manage digital identities and
control access to resources
IAM has two critical components: authentication and authorization
Authentication is the process of verifying a user’s identity
Common authentication mechanisms include local authentication, multifactor authentication,
time-based authentication, AAA, LDAP authentication, and Single Sign-on (SSO)
SSO is a generic term for centralized user authentication and authorization services
Common SSO services include OpenID Connect (OIDC), Security Assertion Markup Language
(SAML), and Open Authorization (OAuth)
Review (cont’d)
Authorization grants authenticated users permission to access a resource
Principle of least privilege is an important component of authorization
In principle of least privilege, users are granted the minimum permissions required to perform their
job function, and no more
Role based access control provides permissions based on the role that a user plays within an
organization, rather than granting the permission directly to the individual
Geo fencing is an authorization enforcement mechanism
A virtual perimeter geofence is defined around a physical location by using GPS, Wi-Fi, RFID, or
cellular signals
When a user enters or exits the Geo fence, an action is triggered, typically on their mobile device
Geo fencing actions can include turning the microphone and camera off when entering a sensitive
area, blocking sensitive data access from high risk regions, or enforcing location-based rules for VPN
or cloud access
Review (cont’d)
Physical security is the foundation of safeguarding any organizations assets
Physical security ensures protection against unauthorized access, theft, and physical threats
Cameras are a common type of physical security
Cameras extend guard presence and surveillance coverage
Locks provide a critical first line of defense by restricting unauthorized access to physical
locations
Review (cont’d)
Honeypots are decoys intended to look like legitimate, vulnerable systems
You deploy honeypots next to your genuine digital assets in hopes to distract an attacker and
make them waste time while you collect information about the attack
A honeynet is a decoy network that contains one or more honeypots
You can place honeynets in the DMZ or near sensitive assets in your internal network
Review (cont’d)
Data locality refers to the physical location where data is stored
Data sovereignty refers to the legal and regulatory control that a country or jurisdiction has over
the data stored within its borders, regardless of who owns or operates the data center
General Data Protection Regulation (GDPR) is one that has been enacted in the European Union
In GDPR, EU residents have the right to control their personal data, including the right to access,
rectify, erase, restrict, and transfer it
Any company, regardless of where it is located, that collects and processes EU citizen data must
comply with GDPR regulations
Review (cont’d)
Payment Card Industry Data Security Standards (PCI DSS) is a unified security standard for the
payment card industry
PCI DSS requires certain protections on cardholder data to help reduce the risk of credit card
fraud
PCI DSS compliance is enforced through contracts between merchants, banks, and payment
processor
Review (cont’d)
Network segmentation is the implementation of network segments as “security zones“
All devices in the same zone should have the same security requirements
Network segmentation can be enforced through physical means, or logical means,
Review (cont’d)
Industrial Control Systems (ICS) is a general term that refers to a control system and related
instrumentations (sensors, actuators)
ICS is used for industrial process monitoring and control
ICS is a subset of IoT (Internet of Things)
The Industrial Control System is typically separated from the corporate network via a firewall
Supervisory Control and Data Acquisition (SCADA) is a centralized control system for ICS
ICS has its own security considerations, including the issue that most SCADA systems are legacy
and cannot be easily taken down or updated
 Denial-of-Service
VLAN Hopping
MAC Flooding
4.2 Network ARP Spoofing
Attacks ARP Poisoning
Network + N10-009 Module 4 DNS Spoofing
On-path Attack
Rogue Devices and Services
Evil Twin
Social Engineering
Malware
Network Attacks Review
Denial-of-Service
(DoS)
Denial-of-Service (DoS)
A malicious attempt to disrupt or shut down a server, service, or network
Typically accomplished by flooding it with illegitimate requests, essentially overwhelming its
resources and preventing legitimate users from accessing it
Can also be accomplished by sending malformed packets that the target wastes time trying to
interpret, or by attacking other application or protocol-based vulnerabilities
DoS Attack Categories
Volumetric Attacks
◦ Consumes network bandwidth so authorized clients cannot connect
Fragmentation Attacks
◦ Keeps a target busy with packet fragments that cannot be reassembled
TCP State-Exhaustion Attacks
◦ Consumes a server’s maximum allowed TCP connections
Application Layer Attacks
◦ Designed to consume app resources/service so they are not available to users
Protocol Attacks
◦ Designed to abuse commonly used Internet protocols
Multi-vector Attacks Some DoS attacks have characteristics
◦ A combination of attack types of more than one attack type
DOS Example
Distributed Denial-of-Service (DDoS)
Launched from numerous compromised devices
◦ There can be hundreds or even thousands of devices

The compromised devices are typically organized and remotely controlled

◦ Such computers are called “zombies”
◦ They are managed by “command and control” (C&C) computers
◦ These are regionally located
◦ Often compromised machines themselves
◦ The C&C computers are in turn controlled by the attacker’s computer
DDoS Example Attacker

C&C Servers
(Masters)

Zombies
(Slaves)

Victim
Frequency Jamming
Denial-of-Service at the radio frequency level
The simplest and crudest form of wireless attack
The wireless system and all of its clients are overwhelmed by a more powerful signal
Authorized signals get buried in noise
VLAN Hopping
VLAN Hopping
Bypass the normal isolation between VLANs
1. Attacker creates a rogue trunk link with switch
2. Malicious packets are tagged with target VLAN ID
3. Attack is sent along trunk link to target
MAC Flooding
MAC Flooding
A common attack on a network switch
Intentionally overwhelming a switch with phony MAC addresses
◦ Specially crafted Ethernet frames are rapidly sent into a switch port
◦ Typically the frames have random spoofed source MAC addresses
The goal is to force a switch to behave like a hub
◦ Forward all frames out all ports
◦ The attacker can then sniff any traffic
The switch will enter the spoofed MAC addresses into its MAC table
The MAC table fills and cannot take in any new MAC addresses
Vulnerable switches will then change into hub mode
◦ They repeat any incoming frame out all ports
◦ This allows the attacker to sniff traffic from all nodes on the switch
Most modern switches are not vulnerable
MAC Flooding Example

bbbb cccc

aaaa
dddd

• Switch is keeping
conversations separate
• Attacker is not able to
eavesdrop on any of
ffff
the connections

eeee
MAC Flooding Example

bbbb cccc

aaaa
dddd

• Attacker starts flooding

the switch with
random source MAC
ffff addresses

eeee
MAC Flooding Example
My MAC
table is
full!

bbbb cccc

aaaa
dddd

• The switch’s MAC table

fills to capacity
ffff

eeee
MAC Flooding Example

• The switch changes to

hub mode, flooding all
frames out all ports
• The attacker is now
able to sniff traffic
ARP Spoofing
ARP Spoofing
The term “ARP spoofing” can refer to two related but distinct types of attacks
Switch spoofing: The attacker sends fake ARP replies to a switch, tricking it into sending copies of
the target’s traffic to the attacker
ARP poisoning (AKA ARP cache poisoning): The attacker sends fake ARP messages, associating
their MAC address with the target’s IP address
In both cases, the goal of ARP spoofing is to redirect traffic intended for another recipient to the
attacker—either in addition to or instead of its original destination
Switch Spoofing Example

MAC aaaa MAC bbbb

MAC xxxx
Switch Spoofing Example

MAC aaaa MAC bbbb

“I’m MAC xxxx
and MAC aaaa
and MAC bbbb”

MAC xxxx
Switch Spoofing Example

MAC aaaa MAC bbbb

MAC xxxx
ARP Poisoning
ARP Poisoning
AKA ARP cache poisoning
The deliberate effort to corrupt another device’s ARP cache
The attacker sends fake ARP replies that associate the attacker’s MAC with target’s IP
Used for man-in-the-middle attacks
◦ Corrupt both sides of a conversation (client - server / sender - gateway)
◦ Each node thinks the other users the attacker’s MAC address
◦ The two sides will unknowingly relay their conversation through the attacker

Attacker uses their own MAC address, but associates it

with the target’s IP address to fool other devices
ARP Poisoning MITM Example
To send to IP
To send to IP
10.1.1.1,
10.1.1.2,
deliver to
deliver to
MAC aaaa
MAC bbbb
NORMAL

10.1.1.1 10.1.1.2
MAC aaaa MAC bbbb
ARP Poisoning MITM Example
To send to IP
To send to IP 10.1.1.1,
10.1.1.2, deliver to
deliver to MAC xxxx
MAC xxxx MITM

10.1.1.1 10.1.1.2
MAC xxxx
MAC aaaa MAC bbbb
DNS Spoofing
DNS Spoofing
Can refer to:
A rogue device pretending to be a DNS server
◦ Often deployed with a rogue DHCP server that issues leases with a scope option to the fake DNS
◦ In some cases devices (Cisco) broadcast to find their local DNS server
◦ Rogue responds to these broadcasts

DNS poisoning attack

◦ Injecting fake records into a DNS server’s zone file or lookup cache
DNS Poisoning
The act of injecting fake DNS records into:
◦ An authoritative server’s zone file
◦ A DNS server’s lookup cache
DNS Zone File Poisoning
Many authoritative DNS servers allow dynamic updates
Attacker updates a DNS server with a fake A record
◦ Destination name is the same
◦ IP address has been changed to the attacker’s IP
◦ Server thinks update is legitimate

When clients perform an A lookup, they are given the wrong IP address
Can be performed against both Internet and intranet DNS servers
DNS Cache Poisoning
False DNS records are inserted into a DNS server’s cache
◦ These records are then given to clients and other DNS servers

Most DNS servers query other servers to resolve host names

One false record can propagate to many DNS servers and clients
Digital signatures and DNSSEC can help, and should be implemented
◦ In DNSSEC, a digital signature accompanies each DNS record to prove its authenticity and integrity
◦ Reduce the threat of DNS poisoning, spoofing, and similar types of attacks
◦ Clients that cannot utilize DNSSEC will ignore the signature files
On-path Attack
On-Path Attack
AKA Man-in-the-Middle, Monkey-in-the-Middle, MITM
Communication between two nodes is intercepted by a malicious attacker
◦ Attacker injects themselves between the two nodes
Typically used to:
◦ Intercept credentials
◦ Inject malicious content into the session
Can occur in many forms of communication
◦ Email hijacking
◦ Browser hijacking
◦ Wi-Fi or LAN MITM
◦ TCP session hijacking
Mitigation techniques include:
◦ S/MIME for email
◦ Authentication certificates
◦ SSL/TLS
Rogue Devices and
Services
What is a Rogue?
Any unauthorized device or service added to the network
Can be malicious or unintentionally disruptive
Typically refers to a wireless or wired device used to:
◦ Capture credentials (MITM or evil twin)
◦ Sniff traffic
◦ Provide improper IP addresses to clients (rogue DHCP)
◦ Misdirect DNS clients (via DNS or broadcast)
Rogue DHCP Server
Unauthorized DHCP server on the network segment
Leases inappropriate IP addresses and scope options to unsuspecting clients
Clients can’t differentiate between authorized and rogue DHCP server
◦ DHCP is broadcast-based with no authentication

Can be intentional or accidental

◦ User could plug a wi-fi router into the network and forget to turn off its DHCP service

Countermeasures:
◦ On a LAN, implement DHCP snooping on the switch
◦ On Wi-Fi, configure an enterprise WAP to go rogue hunting
Rogue DHCP Server Example
Wireless is Inherently Vulnerable to Rogues
Rogue Wireless Access Point Example
Evil Twin
Evil Twin Attack
Usually refers to a malicious, unauthorized wireless access point
Set up to entice users to connect
◦ Placed close to clients so it has a strong signal
◦ Appears at/toward the top of the available WLANs list
◦ Has the same or similar SSID to authorized/expected WAP

Typically used to intercept user credentials

May or may not relay client traffic to the real WLAN
Evil Twin Attack Example
Social Engineering
What is Social Engineering?
The psychological manipulation of people into divulging confidential information or performing
actions that they shouldn’t do
A low-tech way of gaining unauthorized information or access to systems
Human Motivation for Falling Victim
Fear
Greed
Curiosity
Helpfulness
Urgency
Obedience to authority
Common Social Engineering Attacks

Attack Type Description

Impersonation Calling the victim inside the company or at home and pretending to be someone the
user trusts, such as an authority figure or IT support
Pretexting Giving the victim a (fake) reason for requesting something of them
Quid-pro-quo Relies on an exchange of information or service to convince the victim to act
Tailgating An unauthorized person follows an authorized person into the secure or restricted
area WITHOUT the knowledge or consent of the authorized person
Piggybacking An unauthorized person follows an authorized person into the secure or restricted
area WITH the consent of the authorized person
Common Social Engineering Attacks (cont’d)
Attack Type Description
Phishing • Sending a fake email to a user to entice them into opening a malicious attachment
or clicking a malicious link
• Typically sent to as many people as possible
• Variants include: vishing, smishing, spear phishing, whaling, deep fakes
Spear Phishing A phishing attack that is targeted towards a specific group
Whaling A phishing attack that specifically targets a high value person such as a CEO or celebrity
Vishing • Urgent voice mails or pre-recorded messages that pressure victims into acting
quickly to protect themselves from malware, arrest or other risk
• A common trick is for a user to dial a number or press a number on their key pad
• When the user does so, they are redirected to an expensive pay-by-the-minute
phone number that keeps them on hold to incur charges
• The charges will appear on their phone bill
Smishing Phishing using SMS or social media messaging
Common Social Engineering Attacks (cont’d)
Attack Type Description
Water-holing • Enticing users with a common interest to visit a malicious website
• Targeted to a specific group
• Often used as a mechanism to gain entry into a specific network
Pharming • Re-directing a user to a bogus website that mimics the appearance of a legitimate one
• Performed through various name resolution attacks such as modifying a HOSTS file,
corrupting DNS server or resolver cache, DNS man-in-the-middle, etc.
• Done to obtain personal information such as passwords, account numbers, and the like
Clickjacking • Overlay an invisible (malicious) HTML element on top of a web page
• Often a one pixel iFrame
• User thinks they are clicking the visible page, but they are also clicking the invisible
overlay
Common Social Engineering Attacks (Cont’d)
Attack Type Description
Baiting Online and/or physical attack that promises the victim a reward
USB stick or cable Compromised sticks or charging cables are scattered where users will find them
baiting When plugged in they autorun the malicious payload
Can also have a built-in miniature Wi-Fi transceiver for the attacker to interact in real-
time with the victim
Fake Malware Victims are tricked into believing that malware is installed on their computer and that if
they pay, the malware will be removed
Ransomware A form of malicious software that encrypts data and then demands a paid ransom for
the decryption key
Shoulder Surfing An unauthorized person spies over your shoulder as you type; can be done directly or
across the room with a mobile device and special camera software
Dumpster Diving Going through someone’s trash to find discarded, but still valuable/sensitive information
Phishing Examples
More Phishing
Smishing Examples
URL Hijacking
AKA typo squatting
Involves creating domain names that closely resemble legitimate domains but contain slight
variations or typographical errors
Fake domains often host phishing sites, malicious downloads, or advertising pages
Idea is to trick users into visiting the fake site
Examples:
◦ Legitimate: google.com ◦ Legitimate: example.com ◦ Legitimate: bank.com
◦ Typosquatted: gooogle.com ◦ Typosquatted: example.co ◦ Typosquatted: bаnk.com
◦ Legitimate: facebook.com ◦ Legitimate: twitter.com (Cyrillic а instead of Latin a)
◦ Typosquatted: facbook.com ◦ Typosquatted: twiter.com ◦ Legitimate: paypal.com
◦ Legitimate: amazon.com ◦ Legitimate: microsoft.com ◦ Typosquatted: раypal.com
◦ Typosquatted: amaz0n.com ◦ Typosquatted: microsoft.biz (Cyrillic р instead of Latin p)
ATM Card Skimmer
A small, illegal device that's installed on
ATMs, point-of-sale (POS) terminals, or
gas pumps to steal card information
Scammers use the data to: make online
purchases, create fake credit cards, and
steal from victims' accounts
Card skimmers are designed to blend in
with the rest of the machine, making
them hard to spot
RFID Skimming
RFID Identity Theft
Copy the contents of an RFID card from a short distance, without the user’s knowledge, so that
information can be used later for unauthorized access to a secure area
Larger/custom antenna allows attacker to be a foot or so away from the target
◦ You can hide it in a backpack
◦ Get next to the victim in an elevator, checkout line, etc.

Variants exist for RFID, NFC, and encrypted cards

USB Stick Baiting
A type of social engineering
Compromised sticks are scattered where users will find them
◦ When plugged in they autorun the payload
◦ Infected “game” or fake media file
◦ Payload is often re-encoded to evade anti-virus

The user plugs the stick into their machine inside the network
Payload connects to waiting attacker
Requires attacker set up exploit handler to receive incoming request
USB Cable Baiting
A variant on the malicious USB stick
A USB phone cable has programmable
malicious firmware and a tiny Wi-Fi transceiver
The victim uses it to plug their phone into a
computer
The cable runs pre-configured commands or
interacts in real-time with the attacker
Dumpster Diving Examples
Malware
Malware Overview
Malware is a file, program or string of code used for malicious activity, such as damaging
devices, demanding ransom and stealing sensitive data
◦ Classified by the payload or malicious action it performs

Typically delivered over a network

◦ Social engineering
◦ Malicious websites
◦ Can also be delivered via physical media
Malware Types
Viruses: Malicious programs that attach to files and replicate by infecting other files on the same
system
Worms: Self-replicating malware that spreads across networks without requiring a host file
Trojans: Malicious software disguised as legitimate applications to trick users into installing it
Ransomware: Malware that encrypts data and demands payment to restore access
Bots: Compromised systems controlled remotely, often as part of a botnet for coordinated
malicious activities
Adware: Unwanted software that delivers intrusive advertisements, often bundled with
legitimate programs
Malware Types (cont’d)
Spyware: Malicious software that secretly gathers and transmits user data without consent
Browser Hijackers: Malware that alters browser settings, redirecting users to malicious websites
or displaying unwanted ads
Rootkits: Stealthy software designed to gain unauthorized root-level access and hide other
malware
Keyloggers: Programs that record users' keystrokes to steal sensitive information like passwords
Fileless Malware: Malware that operates in memory without installing files, evading traditional
detection methods
Malvertising: Malicious advertisements that deliver malware through legitimate advertising
networks
Network Attacks
Review
Review
A Denial-of-Service (DoS) attack is a malicious attempt to disrupt or shut down a server, service,
or network
DoS attacks are typically accomplished by flooding it with illegitimate requests, essentially
overwhelming its resources and preventing legitimate users from accessing it
DoS attacks can also be accomplished by sending malformed packets that the target wastes time
trying to interpret, or by attacking other application or protocol-based vulnerabilities
A Distributed Denial-of-Service (DDoS) attack is a coordinated attack by multiple attackers
against a single target
Review (cont’d)
VLAN hopping is an attack which bypasses the normal isolation between VLANs
In VLAN hopping, the attacker creates a rogue trunk link with switch so that malicious packets
can be sent to a target on any VLAN
MAC flooding is an attack that intentionally overwhelms a switch with phony MAC addresses,
overwhelming its MAC table and forcing it to start behaving like a hub
The goal of MAC flooding is to be able to sniff sensitive traffic from any switchport
ARP poisoning is when an attacker sends false ARP messages to link their MAC address with the
IP address of another network device
Attackers use ARP poisoning to insert themselves in between two hosts, to capture or modify
their communications
Review (cont’d)
The term “ARP spoofing” can refer to two related but distinct types of attacks
Switch spoofing: The attacker sends fake ARP replies to a switch, tricking it into sending copies of
the target’s traffic to the attacker
ARP poisoning: The attacker sends fake ARP messages, associating their MAC address with the
target’s IP address
In both cases, the goal of ARP spoofing is to redirect traffic intended for another recipient to the
attacker—either in addition to or instead of its original destination
Review (cont’d)
DNS spoofing is a attack that can refer to either a rogue device pretending to be a DNS server, or
a DNS poisoning attack in which fake records are injected into a DNS server’s zone file or lookup
cache
An on-path attack, aka MITM, is one in which communication is intercepted by an attacker
injecting themselves between the two communicating nodes
A rogue is any unauthorized device or service added to the network
Rogue devices can be malicious or unintentionally disruptive
A rogue DHCP server is an unauthorized DHCP server that leases inappropriate IP addresses and
scope options to unsuspecting clients
An evil twin is a malicious rogue wireless access point set up to intercept user credentials or
sniff/misdirect Wi-Fi traffic
Review (cont’d)
Social engineering is the psychological manipulation of people into divulging confidential
information or performing actions that they shouldn’t do
Social engineering is a very successful, low-tech way of gaining unauthorized information or
access to systems
Phishing is a type of social engineering in which the attacker sends a fake email to a user to
entice them into opening a malicious attachment or clicking a malicious link
Shoulder surfing is a type of social engineering in which a person spies on the victim as they type
Dumpster diving is a type of social engineering in which the attacker goes through the victim’s
trash in hopes of finding sensitive information
Tailgating is a type of social engineering in which an unauthorized person follows an authorized
person into the secure or restricted area WITHOUT the knowledge or consent of the authorized
person
Review (cont’d)
URL hijacking, AKA typo squatting, involves creating domain names that closely resemble
legitimate domains but contain slight variations or typographical errors
The idea in URL hijacking is to trick users into visiting a fake site that contains malicious
downloads or unwanted advertising
An ATM card skimmer is a small, illegal device that's installed on ATMs, point-of-sale (POS)
terminals, or gas pumps to steal credit or debit card information
Review (cont’d)
RFID skimming is the use of specialized hardware to copy the contents of an RFID card from a
short distance, without the user’s knowledge, so that information can be used later for
unauthorized access to a secure area
USB stick baiting and cable baiting are both types of social engineering in which malicious
versions of these devices are left out in the open for unsuspecting users to find
When a victim plugs a malicious USB stick or cable into their computer, the device allows the
attacker to send malicious commands to the computer
Malware is a file, program or string of code used for malicious activity, such as damaging
devices, demanding ransom and stealing sensitive data
Malware can be delivered via physical media, or over a network via phishing or malicious
websites
 Device Hardening
Network Access Control (NAC)
Key Management
4.3 Network Security Rules
Defense Zones
Network + N10-009 Module 4
Network Defense Review
Device Hardening
What is Device Hardening?
Securing devices by minimizing vulnerabilities through configuration changes, updates, and
disabling unnecessary features or services
Can be performed on any device type, including network devices, computers, mobile devices, and
IoT devices and OT ICS/SCADA devices
Tailor hardening measures to the specific device and its operational role for maximum security
General Device Hardening Strategies
Work from your security configuration baseline
Change all default settings
Change default passwords if applicable
Require strong authentication if possible
Disable unnecessary services, features, ports and protocols
Enable host firewall if exists
Enable built-in OS and OEM security features
Install latest patches and security updates as applicable
General Device Hardening Strategies (cont’d)
Update firmware and OS version if possible
Install/enable antivirus/anti-malware software if possible
Implement strict access control based on “least privilege”
Prefer to deploy from templates or a golden image
Regularly back up data
Physically secure the unit
Deploy additional controls to protect the network segment or surrounding environment
Maintain an asset inventory
Additional Strategies for Hardening
Network Devices
Set strong encrypted passwords at the console, for remote access, and privileged commands
Change the native VLAN on switches applicable
Create a VLAN specifically for network device management
If possible, only permit remote administration from the inside network
If possible, disallow web-based administration
Consider applying access control lists to limit traffic to, from, and through the device
Additional Strategies for Client Computers
Follow vendor security recommendations
Enable and regularly update anti-malware software
Update and patch regularly
Install or enable a host-based firewall
Additional Strategies for Hardening Servers
Implement strict access control based on “least privilege”
Implement secure authentication, including MFA for admins
Place in a secure VLAN/network segment
Monitor using network- and host-based IDS
Control traffic using a network firewall and/or IPS appliance
Implement change management
Patch regularly – test and be able to roll back changes if necessary
Where appropriate, implement high availability and/or load balancing key service(s)
Forward logs to a syslog server (preferably continuously monitor with a SIEM)
Have a disaster recovery plan with RTO and RPO for key services
Additional Strategies for Hardening
Mobile Devices
Install updates
Install endpoint protection
Do not jailbreak or root the device
Only install apps from trusted sources / do not side-load apps
Use strong passwords/biometrics/MFA
Use a VPN/avoid public or free Wi-Fi
Enable device encryption
Keep backups
Prefer to manage using Mobile Device Management (MDM)
Additional Strategies for Hardening IoT Devices
Implement all manufacturer security recommendations
◦ Change default passwords, disable unnecessary features and services, etc.

Deploy compensating controls, especially at the network level

◦ Network segmentation, firewall, IDS/IPS

Include security considerations during the buying process

◦ Buy devices that have the new U.S. Cyber Trust Mark certification
Additional Strategies for Hardening
ICS/SCADA Devices
Implement any manufacturer recommendations or industry best practices
Use a firewall to separate the corporate network from the ICS network
Use VLANs and network segmentation on the production floor where possible
Implement compensating controls for systems that cannot be patched or upgraded
Use a WIPS to monitor for rogue wireless devices (that might have been planted)
Visually inspect for rogue devices/connections
Secure any remote access to ICS Devices
Harden supervisor and operator systems
Network Access
Control (NAC)
Port Security
The ability to limit traffic entering Layer 2 switchports
You can set port security to:
◦ Limit the # of MAC addresses that are allowed on a port
◦ Specify which MAC addresses are allowed on that port
◦ Specify the action if there is a security violation on the port

You can configure what the switch will do in case of a port security violation:
◦ Shut the port
◦ Log the violation and discard offending traffic
◦ Log the violation only

For switchports that have both Voice and Data VLANS, ensure that TWO MAC addresses are
permitted on the port
802.1x
An IEEE standard for port-based network access
control
Defines a framework for authenticating devices
attempting to connect to a LAN or WLAN
◦ Implemented as a feature on the authenticating
device (switch, WAP, VPN server)
◦ User traffic cannot move past the authenticator
until the user or device successfully authenticates

Typically incorporated in RADIUS and TACACS+

AAA implementations

Authentication
traffic
MAC Filtering
A basic network access control mechanism that allows or blocks devices from connecting to a
Wi-Fi network based on their MAC addresses
Provides a simple way to restrict or grant access to specific devices
Adds an extra hurdle for unauthorized users, complementing other security measures like
WPA2/WPA3 encryption
Most Wi-Fi routers and APs have options for enabling MAC filtering and managing the
allowed/denied lists of MAC addresses
Unfortunately, MAC filtering is easy to bypass
◦ Attackers can spoof MAC addresses to match an allowed device, rendering the filtering ineffective
Key Management
Key Management
The processes and mechanisms used to
generate, distribute, store, rotate, revoke,
and securely manage cryptographic keys
throughout their lifecycle
Numerous key management solutions exist
as hardware, software, or cloud-based
services
Key Management Techniques
Manual Key Management
◦ Keys are manually generated and distributed, suitable for small systems but impractical for large-scale
environments
Automated Key Management
◦ Keys are managed using specialized software or hardware systems, improving scalability and security
Centralized Key Management
◦ A central authority manages keys for an entire organization
◦ Benefits: Easier administration, better compliance tracking
Decentralized Key Management
◦ Each system or user is responsible for their own key management
◦ Suitable for distributed or independent systems
◦ Often used with cloud databases
◦ The provider encrypts the record, but the customer has the key needed to decrypt the record
Key Management Challenges
Key Distribution
◦ Ensuring secure and tamper-proof key exchange, especially
over untrusted networks

Key Protection
◦ Preventing unauthorized access to keys in storage or transit

Key Expiration and Rotation

◦ Automating processes to ensure keys are rotated or retired
as needed

Compliance and Auditing

◦ Meeting regulatory requirements for secure key
management and demonstrating compliance through audits
Security Rules
Access Control List
A set of rules or permissions that define which users, systems, or processes are allowed or
denied access to specific resources, such as files, directories, network traffic, or devices
ACLs specify the types of operations (e.g., read, write, execute) that are permitted or restricted
for each entity, helping enforce security and access policies in an environment
ACLs on the network can be implemented on firewalls and packet-filtering routers
ACLs on a host can be implemented as permissions to resources as:
◦ File system
◦ Windows registry
◦ Directory services and other databases
◦ Printers
◦ Shared files and folders
Firewall Rules Example
URL Filtering
A cybersecurity technique used to control and restrict access to websites based on their URL (Uniform
Resource Locator
◦ Prevent access to malicious websites, phishing sites, or pages hosting malware
◦ Enforce adherence to industry regulations or company policies (e.g., blocking gambling or inappropriate
content)
Commonly implemented in firewalls, web proxies, or secure web gateways to enhance network
security and enforce acceptable use policies
1. Administrators define policies specifying which URL categories or individual URLs are allowed, blocked, or
monitored
2. When a user attempts to access a URL, the filtering mechanism checks the policy and either allows or denies
access
3. URLs are compared against a pre-defined database or categorized lists (e.g., social media, gambling,
malicious sites)
◦ Some systems analyze URLs dynamically in real-time using AI or threat intelligence to detect newly malicious
or uncategorized sites
URL Filtering Example

URL Filtering System

Content Filtering
A cybersecurity and compliance technique used to monitor, control, and restrict access to digital
content based on predefined rules or policies
Ensures that users can access only appropriate or authorized content
Content filtering systems analyze data passing through a network, including web pages, emails,
and files, to determine whether it adheres to organizational policies
◦ When users attempt to access or transmit content, the filtering system applies these policies to decide
on the action
◦ Inspections can be based on keywords, file types, URLs, or metadata

Protects organizations from security risks, maintains productivity, and helps adhere to regulatory
requirements
Content Filtering Example
Zones
Network Zone
A network segment used to grant or restrict access to a group of computers or devices
◦ Zones should be created based on security needs
◦ All devices in the same zone should have the same security requirements

Most networks have multiple zones

◦ Zones can be physical or logical (VLAN) segments

Firewalls, packet filtering routers, and VPN servers typically enforce traffic control between
zones
IDS/IPS is often also used to protect the higher-security zones
Network Zones Example

Extranet Cameras Admin

Guest
Wi-Fi Network
Staff
Phones
Wi-Fi

DMZ Private Secured

Internet Network Private
Network
Trusted vs Untrusted
Refers to the security level of a network segment
Firewalls protect the “trusted” network from the “untrusted” network
When setting up the firewall, the administrator indicates which ports are connected to trusted
networks, and which are connected to untrusted networks
Typically, the outside interface(s) is connected to the untrusted, outside network (Internet)
The inside interface(s) is connected to the trusted, inside network (intranet)
Trusted vs Untrusted Example

Untrusted Untrusted
Trusted Trusted

Internet
(Untrusted)
DMZ Private Network
aka Screened Subnet (Trusted)
External (Generally considered Internal
Firewall untrusted) Firewall
Network Defense
Review
Review
Device hardening is the process of securing devices by minimizing vulnerabilities through
configuration changes, updates, and disabling unnecessary features or services
Device hardening can be performed on any device type, including network devices, computers,
mobile devices, and IoT devices and OT ICS/SCADA devices
You should tailor hardening measures to the specific device and its operational role for
maximum security
Review (cont’d)
Port security is the ability to limit traffic entering Layer 2 switchports
You can set port security to:
◦ Limit the # of MAC addresses that are allowed on a port
◦ Specify which MAC addresses are allowed on that port
◦ Specify the action if there is a security violation on the port

You can configure what the switch will do in case of a port security violation:
◦ Shut the port
◦ Log the violation and discard offending traffic
◦ Log the violation only
Review (cont’d)
802.1x defines a framework for authenticating devices attempting to connect to a LAN or WLAN
802.1x is implemented as a feature on the authenticating device (switch, WAP, VPN server)
User traffic cannot move past the authenticator until the user or device successfully
authenticates
802.1x is typically incorporated in RADIUS and TACACS+ AAA implementations
Review (cont’d)
An access control list (ACL) is a set of rules or permissions that define which users, systems, or
processes are allowed or denied access to specific resources, such as files, directories, network
traffic, or devices
ACLs specify the types of operations (e.g., read, write, execute) that are permitted or restricted
for each entity, helping enforce security and access policies in an environment
ACLs can be implemented on firewalls and packet-filtering routers, as well as on a host to control
access to local resources
Review (cont’d)
URL filtering is used to control and restrict access to websites based on their URL (Uniform
Resource Locator
URL filtering is commonly implemented on firewalls, web proxies, or secure web gateways to
enhance network security and enforce acceptable use policies
Content filtering is a compliance technique used to monitor, control, and restrict access to digital
content based on predefined rules or policies
Content filtering ensures that users can access only appropriate or authorized content
Review (cont’d)
A network zone is a network segment used to grant or restrict access to a group of computers or
devices
Network zones are created based on security needs, with all devices in a zone having the same
security requirements
Firewalls, packet filtering routers, and VPN servers are typically used to enforce traffic control
between zones
“Trusted” and “untrusted” refers to the security level of a network segment
Typically, the “trusted” network is the internal, private network
The “untrusted” network is the external network, usually the Internet
A DMZ is also usually considered to be untrusted
Firewalls protect the “trusted” network from the “untrusted” network