Domain 4.2
Network security
TCP/IP was designed primarily for connectivity and interoperability, not security. As a result, networks based on TCP/IP can be vulnerable to various attacks if not properly secured.
Examples include:
- Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks, which attempt to overwhelm systems or networks.
- IP spoofing, where attackers forge source addresses to impersonate trusted systems.
- Man-in-the-Middle (MITM) attacks, where communications are intercepted or altered.
- Fragmentation and malformed packet attacks, which exploit weaknesses in protocol implementations.
- Packet sniffing and traffic analysis, which can reveal sensitive information or communication patterns.
To mitigate these risks, organizations commonly use firewalls, encryption, network segmentation, intrusion detection systems, and secure protocol implementations.
Wi-Fi Increases the Attack Surface
Wi-Fi is a popular networking technology in both corporate and home environments because it is inexpensive, flexible, and eliminates the need for physical cabling.
However, wireless networks introduce additional security challenges. Unlike wired networks, an attacker may be able to access or monitor communications without physically connecting to the network infrastructure. This makes strong authentication, encryption (such as WPA2 or WPA3), and proper network configuration especially important.
Common wireless threats include unauthorized access, eavesdropping, rogue access points, and attacks against weak or outdated security protocols.
Types of threats
- Spoofing - An attacker impersonates a trusted user, device, or service by falsifying identifying information such as an IP, MAC address, email address, or website
- Phishing - A social engineering attack that tricks users into revealing sensitive information or performing actions through deceptive emails, messages, or websites.
- DOS/DDOS - An attack that overwhelms a system, service, or network with traffic or requests, making it unavailable to legitimate users.
- Virus - Malicious software that attaches itself to legitimate files or programs and spreads when the infected file is executed.
- Worm - Self-replicating malware that spreads automatically across networks without requiring user interaction.
- Trojan - Malware disguised as legitimate software that tricks users into installing it, often creating unauthorized access for attackers.
- On-path Attack - An attack where an adversary secretly intercepts and potentially alters communications between two parties.
- Side-channel - An attack that extracts information by analyzing indirect signals such as timing, power consumption, electromagnetic emissions, or cache behavior.
- Advanced Persistent Threat (APT) - A long-term, targeted attack in which skilled attackers maintain unauthorized access to a system while remaining undetected.
- Insider Threat - A security risk originating from an authorized user who intentionally or unintentionally compromises an organization’s systems or data.
- Malware - Any software intentionally designed to damage, disrupt, steal information from, or gain unauthorized access to a system.
- Ransomware - Malware that encrypts files or systems and demands payment in exchange for restoring access.
- Supply Chain Attack - An attack that compromises a trusted third party (such as a software vendor, software library, service provider, or hardware manufacturer) to indirectly gain access to its customers or users.
How to identify these threats?
Intrusion Detection System (IDS) - Monitors systems or networks for suspicious activity by automatically analyzing logs, events, and network traffic. When potentially malicious behavior is detected, it generates alerts for administrators to investigate.
- Host-Based IDS (HIDS) - Runs on a specific device and monitors local activity such as system logs, file changes, user actions, processes, and configuration modifications to detect suspicious behavior. HIDS can be more precise than NIDS by reporting compromised files and identifying exactly which process or user caused the activity.
- Network-Based IDS (NIDS) - Monitors network traffic flowing through a network segment and analyzes packets (excluding encrypted content unless decrypted elsewhere) for signs of attacks, policy violations, unusual communication patterns, or known malicious signatures. A NIDS can detect the initiation and progression of an attack on the network, but it typically cannot confirm the full impact or success on the target system.
Scans - Automated tools and processes used to analyze systems, applications, or networks for vulnerabilities, malware, and misconfigurations. They compare software behavior, configurations, and exposed services against known security issues and databases such as OWASP Top 10 and vulnerability catalogs (e.g. CVEs) to identify potential weaknesses. Scans can be used for continuous monitoring or scheduled assessments to detect security risks before they are exploited.
SIEM (Security Information and Event Management) - A centralized system that collects and analyzes log and event data from many different sources across an IT environment, such as HIDS, NIDS, firewalls, servers, and applications. It does not replace detection tools like HIDS or NIDS, but instead uses their outputs as input. By correlating events from multiple systems, a SIEM can identify patterns and threats that would not be visible from a single source, generate alerts, and provide a unified view of security across the organization.
TLDR:HIPS analyzes a host (ex computer), NIPS analyzes the network, SIEM pulls logs from htese tools and others to give a complete security analyzis report
How to prevent the threats?
There is no one step that will protect you against all threats but there are basic steps you can take to reduce the risk of an attack.
Keep systems and applications up to date - Vendors regularly relase updates to fix security issues but you need to keep your systems up to date.
Remove or disable unneeded services and protocols - Attackers can’t exploit a vulnerability on a protocol that isn’t running.
Use up-to-date anti-malware software / Antivirus - A primary countermeasure is anti-malware software. Anti-malware/antivirus solutions detect and remove malicious software using signature-based detection, behavioral analysis, and sometimes machine learning, and modern enterprise endpoint tools often extend this protection with features like firewall control, IDS/IPS capabilities, and broader detection of threats such as ransomware, spyware, and rootkits.
Use intrusion detection and prevention systems. - They help identify and respond to malicious activity early by detecting attacks in progress and, in the case of IPS, automatically blocking or mitigating them to reduce potential damage.
- Intrusion Prevention System (IPS) - active security system that sits in-line with network traffic and automatically detects and blocks malicious activity before it reaches its target.
- NIPS (network based) - Protects the entire network by inspecting and blocking malicious network traffic.
- HIPS (host based) - Protects a single device by monitoring and blocking suspicious activity on that host
- Intrusion Prevention System (IPS) - active security system that sits in-line with network traffic and automatically detects and blocks malicious activity before it reaches its target.
Use firewalls - Firewalls are security systems that isolate and protect network segments by enforcing rules that filter traffic between trusted and untrusted environments, commonly deployed at network boundaries and within internal network zones for segmentation.
- Modern next-generation firewalls extend this functionality by combining traditional packet filtering with advanced capabilities such as intrusion prevention (IPS), proxy services, application-layer filtering (Layer 7), and integration with identity and access management (IAM), allowing them to enforce security policies based not only on IP and ports but also on users, applications, and content.