Week 3: Secure against network intrusions

Hey there! Welcome to this video
about securing networks from attacks. You’ve come a long way already in
your understanding of networks and network security. Now you’ll learn how to secure networks, so that the valuable information they
contain doesn’t get into the wrong hands. We’re going to discuss how network
intrusion tactics can present a threat to networks and how a security analyst
can protect against network attacks. Let’s get started.

The case for securing networks in Cybersecurity

Networks are essential for businesses and organizations of all sizes. They allow us to communicate and share data with each other, and they power many of the applications and services that we rely on every day. However, networks are also a prime target for cyberattacks. Attackers can exploit vulnerabilities in networks to gain access to sensitive data, disrupt operations, and cause financial losses.

Here are some of the reasons why securing networks is so important:

• To protect sensitive data. Networks often contain sensitive data, such as customer information, financial data, and intellectual property. If this data falls into the wrong hands, it can be used for fraud, identity theft, or other criminal activity.
• To prevent disruptions to operations. Cyberattacks can disrupt network operations, making it difficult or impossible for employees to work and for customers to access services. This can lead to lost revenue and damage to reputation.
• To avoid financial losses. Cyberattacks can also lead to financial losses, through theft of data, ransom payments, and the costs of remediation and recovery.

How to secure networks

There are a number of steps that businesses and organizations can take to secure their networks. Some of the most important include:

• Implementing strong security policies and procedures. This includes having clear policies in place for password management, access control, and data security.
• Using firewalls and intrusion detection systems. Firewalls can help to block unauthorized access to networks, while intrusion detection systems can monitor network traffic for suspicious activity.
• Keeping software up to date. Software updates often include security patches that can help to protect against known vulnerabilities.
• Educating employees about cybersecurity. Employees should be trained on how to identify and avoid phishing attacks and other common cyber threats.

Conclusion

Securing networks is essential for protecting businesses and organizations from cyberattacks. By taking the steps outlined above, businesses and organizations can help to reduce their risk of being compromised and minimize the impact of any attacks that do occur.

Additional tips for securing networks

• Segment your network. This means dividing your network into different subnetworks, each with its own security controls. This can help to contain the damage if one part of your network is compromised.
• Use strong passwords and authentication. All users should have strong passwords that are changed regularly. You should also consider using multi-factor authentication to add an extra layer of security.
• Be careful about what you click on. Emails and phishing websites can be used to deliver malware and other threats. Be careful about what links you click on and what attachments you open.
• Back up your data regularly. In the event of a cyberattack, having a backup of your data can help you to recover quickly and minimize the damage.

By following these tips, you can help to secure your networks and protect your business from cyberattacks.

Which of the following are common network attacks? Select all that apply.

Packet flooding, Spoofing, Malware

Spoofing, packet flooding, and malware are all common network attacks.

Let’s start by answering the question,
why do we need secure networks? As you’ve learned, networks are constantly
at risk of attack from malicious hackers. Attackers can infiltrate networks via
malware, spoofing, or packet sniffing. Network operations can also be disrupted
by attacks such as packet flooding. As we go along,
you’re going to learn about these and other common network intrusion
attacks in more detail. Protecting a network from these
types of attacks is important. If even one of them happens, it could have
a catastrophic impact on an organization. Attacks can harm an organization
by leaking valuable or confidential information. They can also be damaging to
an organization’s reputation and impact customer retention. Mitigating attacks may also cost
the organization money and time. Over the last few years, there have been a number of examples
of damage that cyber attacks can cause. One notorious example was an attack
against the American home-improvement chain, Home Depot, in 2014. A group of hackers compromised and
infected Home Depot servers with malware. By the time network administrators shut
down the attack, the hackers had already taken the credit and debit card
information for over 56 million customers. Now, you know why it’s so
important to secure a network. But to keep a network secure, you need to know what kinds of
attacks to protect it from. Coming up, you’ll learn about
some common network attacks.

My name’s Matt,
I’m a chaos specialist at Google. They let us choose our own job titles
to best describe what it is we do. I spend a lot of my time planning for how to take care of anything that
might possibly be going wrong, and when it does happen, putting a team in
place to fix it as quickly as possible. I had no intention of being
in technology at all. In high school, I was a lifeguard, first
at public pools and then at a state beach. Lifeguarding got me into
really enjoying rescue. So I got an EMT license, went through
firefighter school. About halfway through my college process, and well into when I
was being a firefighter on a daily basis. I was dealing with some burnout,
some stress. I needed a change in my life. And a friend of mine who I’d been
online gaming with since the early days of online gaming,
when it was all text based, he said, I can tell you’re burning
out hard and you need a change. My friends and I are going to
San Francisco to start a startup. Will you come with us? And I said, you realize I am
not a computer guy, right? And he said, no, you’re a computer guy,
you just won’t admit it. The same thing that has drawn me into
incident response in tech is what originally drew me to medical response. I really love being there for
people on their worst day. Being there when people
really need you and they don’t know where else to turn to
has always just fed this part of me, and I’m lucky to find that same joy in DFIR,
Digital Forensics and Incident Response. What type of attacks
have we faced at Google? That’s a hard question to answer, because we face all of the kinds of
attacks that most other companies face. People after ransomware,
people after industrial secrets, other countries looking for
intelligence information. There was a really interesting attack
that occurred a little while ago. They were interested in getting a lot of
information from technical companies, specifically about
vulnerabilities in software. And they put in place a long running
campaign to build personalities on social media as though they were
legitimate security researchers, and then reach out to other security
researchers in our field, build relationships, and then just at
the right moment, sneak in some malware. Being under attack by an adversary
who’s made some progress is incredibly stressful. The first things you’re thinking and feeling are a little bit
of a sense of panic. Oh no, this is going to be a bad day. How long am I going to be
awake working on this? What have they done? What am I going to do? And for me, the mantra that I repeat
to myself is, as an incident responder, I am here to help. The things that are most
important to having a good outcome in an incident are what we call
the 3Cs: Command, Control and Communications. Meaning someone needs to
be in charge of it affirmatively leading. Someone needs to be exerting
control over everyone involved so that everyone’s aligned, focused on
the mission, and the biggest and most important one of them
all: proper communications. If you have something to
offer to the incident, don’t just go do it,
Communicate to someone. I think I could do this
to help us make progress. I think if we look over here,
we’ll find more data. The advice that I would give somebody who
wants to get into cybersecurity is if you want it, you probably belong here. The more people we have in here, who
are passionate, curious question askers, who want to know more, who want to
build better, and who care about making every thing more secure for
the people who have to use technology, those are people we want in
the industry and I would want you here.

Denial of Service (DoS) attacks are a type of cyber attack that aims to make a computer or network unavailable to its intended users. DoS attacks can be launched against a variety of targets, including websites, servers, and networks.

DoS attacks typically work by flooding the target with traffic, which can overwhelm the target’s resources and make it unable to respond to legitimate requests. DoS attacks can also be launched by exploiting vulnerabilities in the target’s software or configuration.

Types of DoS attacks

There are two main types of DoS attacks:

• Volumetric attacks: Volumetric attacks flood the target with traffic, which can overwhelm the target’s bandwidth or processing resources. Common volumetric attacks include SYN flood attacks, ICMP flood attacks, and UDP flood attacks.
• Application-layer attacks: Application-layer attacks target specific applications or services on the target system. Common application-layer attacks include HTTP flood attacks, SQL injection attacks, and cross-site scripting (XSS) attacks.

How to protect against DoS attacks

There are a number of things that organizations can do to protect against DoS attacks, including:

• Use a firewall: A firewall can help to block malicious traffic from reaching the target system.
• Use a load balancer: A load balancer can distribute traffic across multiple servers, which can help to mitigate the effects of a DoS attack.
• Use a content delivery network (CDN): A CDN can help to deliver content from multiple locations, which can make it more difficult for attackers to launch a successful DoS attack.
• Monitor traffic for suspicious activity: Organizations can monitor their traffic for suspicious activity, such as spikes in traffic or unusual patterns of traffic.

What to do if you are under attack

If you are under a DoS attack, the first thing you should do is contact your internet service provider (ISP). Your ISP may be able to help you to block the traffic or mitigate the effects of the attack.

You should also try to identify the source of the attack. Once you have identified the source of the attack, you can take steps to block the traffic or report the attack to the appropriate authorities.

Conclusion

DoS attacks can be a serious threat to organizations of all sizes. By understanding the different types of DoS attacks and taking steps to protect against them, organizations can reduce their risk of being successfully attacked.

Fill in the blank: A _____ attack happens when an attacker sends a device or system oversized ICMP packets that are bigger than 64KB.

Ping of death

A ping of death attack is a type of DOS attack caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than 64KB.

Welcome back. In this video, we’re going to discuss
denial of service attacks. A denial of service attack is an attack that targets
a network or server and floods it with
network traffic. The objective of a
denial of service attack, or a DoS attack, is to disrupt normal business
operations by overloading an
organization’s network. The goal of the
attack is to send so much information
to a network device that it crashes or is unable to respond to
legitimate users. This means that the
organization won’t be able to conduct their
normal business operations, which can cost them
money and time. A network crash can
also leave them vulnerable to other security
threats and attacks. A distributed denial of service
attack, or DDoS, is a kind of DoS
attack that uses multiple devices or servers in different locations to flood the target network
with unwanted traffic. Use of numerous devices
makes it more likely that the total amount of traffic sent will overwhelm
the target server. Remember, DoS stands
for denial of service. So it doesn’t matter what part of the network the
attacker overloads; if they overload
anything, they win. An unfortunate example I’ve seen is an attacker who crafted a very careful
packet that caused a router to spend extra time
processing the request. The overall traffic volume
didn’t overload the router; the specifics within
the packet did. Now we’ll discuss network
level DoS attacks that target network
bandwidth to slow traffic. Let’s learn about three common
network level DoS attacks. The first is called
a SYN flood attack. A SYN flood attack is a type of DoS attack that simulates
the TCP connection and floods the server
with SYN packets. Let’s break this
definition down a bit more by taking a closer look at the handshake process
that is used to establish a TCP connection between
a device and a server. The first step in the handshake
is for the device to send a SYN, or synchronize,
request to the server. Then, the server responds with a SYN/ACK packet to acknowledge the receipt
of the device’s request and leaves a port open for the final step of the handshake. Once the server receives the final ACK packet
from the device, a TCP connection is established. Malicious actors can take
advantage of the protocol by flooding a server with SYN packet requests for the
first part of the handshake. But if the number
of SYN requests is larger than the number of
available ports on the server, then the server
will be overwhelmed and become unable to function. Let’s discuss two other
common DoS attacks that use another
protocol called ICMP. ICMP stands for Internet
Control Message Protocol. ICMP is an internet
protocol used by devices to tell each other about data transmission errors
across the network. Think of ICMP like a request for a status update
from a device. The device will return error messages if there
is a network concern. You can think of this like the ICMP request
checking in with the device to make
sure that all is well. An ICMP flood attack is a type of DoS attack
performed by an attacker repeatedly sending ICMP
packets to a network server. This forces the server
to send an ICMP packet. This eventually uses up all
the bandwidth for incoming and outgoing traffic and
causes the server to crash. Both of the attacks
we’ve discussed so far, SYN flood and ICMP flood, take advantage of
communication protocols by sending an overwhelming
number of requests. There are also attacks
that can overwhelm the server with one big request. One example that we’ll discuss is called the ping of death. A ping of death attack is a type of DoS attack that
is caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger
than 64 kilobytes, the maximum size for a
correctly formed ICMP packet. Pinging a vulnerable
network server with an oversized ICMP packet will overload the system
and cause it to crash. Think of this like dropping
a rock on a small anthill. Each individual ant can
carry a certain amount of weight while transporting
food to and from the anthill. But if a large rock is
dropped on the anthill, then many ants will be crushed,
and the colony is unable to function until it rebuilds
its operations elsewhere. Now that’s it for DoS
and DDoS attacks. Coming up, we’ll continue to discuss common network attacks.

What is packet sniffing?

Packet sniffing is the practice of monitoring and capturing network traffic. It can be used for legitimate purposes, such as network troubleshooting and security monitoring. However, it can also be used for malicious purposes, such as stealing sensitive data or launching attacks.

How does malicious packet sniffing work?

Malicious packet sniffers use a variety of techniques to capture network traffic. One common technique is to use a software application that runs on a computer on the network. Another technique is to use a hardware device that is connected to the network.

Once a malicious packet sniffer has captured network traffic, it can analyze the traffic to extract sensitive data, such as passwords, credit card numbers, and social security numbers. The attacker can then use this data to commit fraud, identity theft, or other crimes.

What are the different types of malicious packet sniffing attacks?

There are two main types of malicious packet sniffing attacks: passive and active.

• Passive packet sniffing: In a passive packet sniffing attack, the attacker simply monitors network traffic without interacting with it. This type of attack is difficult to detect because the attacker does not leave any traces of their activity.
• Active packet sniffing: In an active packet sniffing attack, the attacker interacts with network traffic in some way. For example, they may inject malicious packets into the traffic or modify existing packets. This type of attack is easier to detect than passive packet sniffing because the attacker leaves traces of their activity.

How to protect against malicious packet sniffing

There are a number of things that organizations can do to protect against malicious packet sniffing, including:

• Use encryption: Encrypting network traffic makes it unreadable to attackers, even if they are able to capture it.
• Use intrusion detection systems (IDS)/intrusion prevention systems (IPS): IDS/IPS systems can detect and block malicious activity, including packet sniffing.
• Educate employees: Employees should be educated about the dangers of malicious packet sniffing and how to protect themselves.

Conclusion

Malicious packet sniffing is a serious cybersecurity threat. Organizations can protect themselves by using encryption, IDS/IPS systems, and educating employees.

Additional tips:

• Avoid using public Wi-Fi networks without a VPN.
• Keep your software up to date.
• Use strong passwords and enable two-factor authentication.

By following these tips, you can help to protect yourself and your organization from malicious packet sniffing.

Which part of a data packet may contain valuable information about the data in transit?

Body

The body of a data packet may contain sensitive information such as credit card numbers, dates of birth, or personal messages. Malicious actors can use the information contained in the body of a data packet to their advantage.

In this video, we’ll discuss packet sniffing,
with a focus on how threat actors may use
this technique to gain unauthorized
access to information. Previously, you learned about the information and data packets that travel across the network. Packets include a
header which contains the sender’s and
receiver’s IP addresses. Packets also contain
a body, which may contain valuable
information like names, date of birth,
personal messages, financial information, and
credit card numbers. Packet sniffing is
the practice of using software tools to observe data as it moves
across a network. As a security analyst, you may use packet sniffing
to analyze and capture packets when investigating
ongoing incidents or debugging network issues. Later in this
certificate program, you’ll gain hands-on practice with some packet
sniffing software. However, malicious
actors may also use packet sniffing to look at data that has not
been sent to them. This is a little bit like
opening somebody else’s mail. It’s important for you
to learn about how threat actors use
packet sniffing with harmful intent
so you can be prepared to protect against
these malicious acts. Malicious actors may insert
themselves in the middle of an authorized connection
between two devices. Then they can use packet
sniffing to spy on every data packet as it
comes across their device. The goal is to find
valuable information in the data packets that they can then use to their advantage. Attackers can use
software applications or a hardware device to
look into data packets. Malicious actors can access
a network packet with a packet sniffer and make
changes to the data. They may change the information in the body of the packet, like altering a recipient’s
bank account number. Packet sniffing can
be passive or active. Passive packet
sniffing is a type of attack where data packets
are read in transit. Since all the
traffic on a network is visible to any
host on the hub, malicious actors can view all the information going in and out of the device
they are targeting. Thinking back to the example
of a letter being delivered, we can compare a
passive packet sniffing attack to a postal
delivery person maliciously reading
somebody’s mail. The postal worker, or packet sniffer, has the right
to deliver the mail, but not the right to read
the information inside. Active packet
sniffing is a type of attack where data packets
are manipulated in transit. This may include injecting internet protocols to
redirect the packets to an unintended port or changing the information
the packet contains. Active packet
sniffing attack would be like a neighbor telling
the delivery person “I’ll deliver that mail for
you,” and then reading the mail or changing the letter before
putting it in your mailbox. Even though your
neighbor knows you and even if they deliver
it to the correct house, they are actively going out of their way to engage in
malicious behavior. The good news is that malicious packet sniffing
can be prevented. Let’s look at a few ways the network security
professional can prevent these attacks. One way to protect against malicious packet
sniffing is to use a VPN to encrypt and protect data as it travels
across the network. If you don’t remember
how VPNs work, you can revisit the video about this topic in the previous
section of the program. When you use a VPN, hackers might interfere
with your traffic, but they won’t be
able to decode it to read it and read your
private information. Another way to add a layer of protection against packet
sniffing is to make sure that websites you have use HTTPS at the beginning
of the domain address. Previously, we discussed
how HTTPS uses SSL/TLS to encrypt data and
prevent eavesdropping when malicious actors spy on
network transmissions. One final way to help
protect yourself against malicious packet sniffing is to avoid using unprotected WiFi. You usually find
unprotected WiFi in public places like coffee shops, restaurants, or airports. These networks don’t
use encryption. This means that anyone on
the network can access all of the data traveling
to and from your device. One precaution you
can take is avoiding free public WiFi
unless you have a VPN service already
installed on your device. Now you know how
threat actors may use packet sniffing and how to protect a network
from these attacks. Let’s move on to discuss
other network intrusions.

What is IP spoofing?

IP spoofing is a type of cyberattack where the attacker changes the source IP address of a data packet to impersonate another computer system. This can be done for a variety of malicious purposes, such as gaining unauthorized access to a network, launching denial-of-service attacks, or spreading malware.

How does IP spoofing work?

IP spoofing is relatively easy to carry out. The attacker can use a variety of tools and techniques to change the source IP address of a data packet. Once the packet has been spoofed, it will appear to have originated from a different computer system.

What are the different types of IP spoofing attacks?

There are a number of different types of IP spoofing attacks, including:

• On-path attacks: The attacker places themselves in the middle of an authorized connection and intercepts or alters the data in transit.
• Replay attacks: The attacker intercepts a data packet in transit and delays it or repeats it at another time.
• Denial-of-service (DoS) attacks: The attacker sends a large number of spoofed packets to a target computer or network, overwhelming the target and making it unavailable to legitimate users.
• Man-in-the-middle attacks: The attacker intercepts communication between two parties and impersonates one of the parties in order to eavesdrop on the communication or modify it.

How to protect against IP spoofing

There are a number of things that organizations and individuals can do to protect against IP spoofing, including:

• Use encryption: Encrypting network traffic makes it unreadable to attackers, even if they are able to spoof the source IP address.
• Use intrusion detection systems (IDS)/intrusion prevention systems (IPS): IDS/IPS systems can detect and block malicious activity, including IP spoofing.
• Keep software up to date: Software updates often include security patches that can help to mitigate IP spoofing attacks.
• Educate employees: Employees should be educated about the dangers of IP spoofing and how to protect themselves.

Conclusion

IP spoofing is a serious cybersecurity threat. However, there are a number of things that organizations and individuals can do to protect themselves from this type of attack. By following the tips above, you can help to keep your network and data safe.

Additional tips:

• Be careful about opening emails from unknown senders.
• Avoid clicking on links in emails or on websites that you don’t trust.
• Use a firewall and antivirus software.
• Keep your operating system and software up to date.
• Be careful about what information you share online.

By following these tips, you can help to protect yourself from IP spoofing attacks and other cybersecurity threats.

Which of the following attacks use IP spoofing? Select three answers.

Replay attack, On-path attack, Smurf attack

Replay attacks, on-path attacks, and smurf attacks are common types of IP spoofing attacks. A smurf attack is when an attacker sniffs an authorized user’s IP address and floods it with packets.

Next, let’s learn about another kind of network attack
called IP spoofing. IP spoofing is a network attack performed when an attacker
changes the source IP of a data packet to impersonate an authorized system and
gain access to a network. In this kind of attack, the hacker is pretending
to be someone they are not so they can communicate over the network with the
target computer and get past firewall rules that may
prevent outside traffic. Some common IP spoofing
attacks are on-path attacks, replay attacks,
and smurf attacks. Let’s discuss these
one at a time. An on-path attack is an attack where the malicious
actor places themselves in the middle of an
authorized connection and intercepts or alters
the data in transit. On-path attackers gain access to the network and put themselves
between two devices, like a web browser
and a web server. Then they sniff the packet information to learn the IP and MAC addresses to devices that are communicating
with each other. After they have
this information, they can pretend to be
either of these devices. Another type of attack
is a replay attack. A replay attack is a network attack performed when a malicious actor intercepts a data packet in
transit and delays it or repeats it
at another time. A delayed packet can cause connection issues between
target computers, or a malicious actor may take a network transmission
that was sent by an authorized user
and repeat it at a later time to impersonate
the authorized user. A smurf attack is
a combination of a DDoS attack and an
IP spoofing attack. The attacker sniffs an
authorized user’s IP address and floods it with packets. This overwhelms the target computer and can bring down a server or
the entire network. Now that you’ve learned about different kinds of IP spoofing, let’s talk about
how you can protect the network from this kind of attack. As you previously learned, encryption should always be
implemented so that the data in your network transfers can’t be read by malicious actors. Firewalls can be configured to protect against IP spoofing. IP spoofing makes it seem like the malicious actor
is an authorized user by changing the
sender’s address of the data packet to match the
target network’s address. So if a firewall receives a data
packet from the internet where the sender’s IP address is the same as the
private network, then the firewall will
deny the transmission since all the devices
with that IP address should already be on
the local network. You can make sure
that your firewalls configure correctly
by creating a rule to reject all incoming
traffic that has the same IP address
as the local network. That’s it for IP spoofing. You’ve learned how IP
spoofing is used in some common attacks
like on-path attacks, replay attacks,
and smurf attacks.

Nice job finishing this section! Let’s review what
you’ve learned so far. We discussed how to
secure networks. We also learned about
network intrusion tactics like malicious packet
sniffing and IP spoofing. Finally, we discussed how a security analyst can
protect against these attacks. You’ve learned
about DoS and DDoS attacks like ICMP
flooding, SYN attacks, and the ping of death, which try to
overwhelming a network by flooding it with
unwanted data packets. Now, just think about everything you know already about
network attacks. What you’ve learned in
these videos will be essential in your work
as a security analyst. Coming up, you’ll learn about how security
analysts can protect the network using various
security hardening techniques.