Network security risk mitigation best practices

This network security risk mitigation discussion is taken from my uOttawa PhD thesis (2020, pp. 39-57) Chapter 2 “Part 1: Information Security Risk Governance,” which covers the technical, theoretical, and regulatory context of ethical hacking applications in information security testing and IT governance at the organizational and national levels. The PhD thesis, titled Technoethics and sensemaking: Risk assessment and knowledge management of ethical hacking in a sociotechnical society, was completed at the School of Electrical Engineering and Computer Science (EECS), Faculty of Engineering, on the topic of ethical hacking sociotechnology (thesis advisory committee: uOttawa professors Rocci Luppicini, Liam Peyton, and Andre Vellino).

Layers of a computer network
Network security risk mitigation

You may also be interested in IT governance and cybersecurity regulations.

Layers of a computer network

This discussion conceptualizes cybersecurity as information security concerned with protecting the confidentiality, integrity, and availability of privileged information within “Cyberspace” (i.e., layers 2-11 of The 15 Layer Cyber Terrain Model, Riley, 2014A).

Figure 1: The 15 Layer Cyber Terrain Model (Riley, 2014A)*

Network security risk mitigation in cyberspace visualized

Persona Layer #11 is concerned with user identity and authentication security and is concerned with managing (securing) information related to user ID, email accounts, phone numbers, and other PII and access codes to digital services (typically on the Internet) via suitable identity and access management controls. The biggest threat to compromising data confidentiality at this level is social engineering schemes.

Software Application Layer #10 is concerned with application security (e.g., browsers, Office products, etc.). The two common attack types on web apps are cross-site scripting and SQL injections. Application-level attacks “are attacks on the actual programming code and software logic of an application. Although most people are cognizant of securing their OS and network, it’s amazing how often they discount the applications running on their OS and network” (Walker, 2017, p. 25).** Many applications on a network are not tested for vulnerabilities during their development and contain vulnerability “built into them” (p. 25). Shrink-wrap code attacks “take advantage of the built-in code and scripts most off-the-shelf applications come with … These scripts and code pieces are designed to make installation and administration easier but can lead to vulnerabilities if not managed appropriately” (p. 25).

Operating System Layer #9 is concerned with host security and vendor software QA/security (Windows, Android, iOS, etc.). Regular security patching is the key mitigation security control for this layer and the previous layer (OS). Operating system (OS) attacks generally target “the common mistake many people make when installing operating systems—accepting and leaving all the defaults. Administrator accounts with no passwords, all ports left open, and guest accounts (the list could go on forever) are examples of settings the installer may forget about” (p. 25). Further, operating systems “are never released fully secure—they can’t be, if you ever plan on releasing them within a timeframe of actual use—so the potential for an old vulnerability in newly installed operating systems is always a plus for the ethical hacker” (p. 25).

Logical Layer (Communications Ports and Protocols) #7-2 is part of host security, network security, and infrastructure security or the Data Link layer, the home of misconfiguration vulnerabilities. The “Internet” column in Riley (2014A) is the Internet protocol suite, which is a conceptual model and set of communications protocols used in the Internet and similar computer networks governing communications. It is commonly known as TCP/IP because the foundational protocols in the suite are the Transmission Control Protocol and the Internet Protocol. Misconfiguration attacks,

take advantage of systems that are, on purpose or by accident, not configured appropriately for security. Remember the triangle earlier and the maxim “As security increases, ease of use and functionality decrease”? This type of attack takes advantage of the administrator who simply wants to make things as easy as possible for the users. Perhaps to do so, the admin will leave security settings at the lowest possible level, enable every service, and open all firewall ports. It’s easier for the users but creates another gold mine for the hacker. (Walker, 2017, p. 25)

*Riley, S. (2014A). “Cyber Terrain”: A Model for Increased Understanding of Cyber Activity. Retrieved August 2, 2019, from https://cyber-analysis.blogspot.com/2014/

**EC-Council defines four attack categories or “the various types of attacks a hacker could attempt” (Walker, 2017, p. 25): Operating system, application-level attacks, shrink-wrap code attacks, and misconfiguration attacks.

Network security risk mitigation

Key strategic and tactical risk mitigation best practices include,

Avoiding misconfiguration gaffes

A vulnerability is “a software or hardware bug or misconfiguration that a malicious individual can gain unauthorized access to exploit” (Snedaker & McCrie, 2011, p. 4). The first counter-threat sword for IT is to update software with security patches regularly against known vulnerabilities. Secondly, is to avoid misconfiguration mistakes. Vulnerabilities exploited by penetration testing include: “Misconfigurations (insecure default settings), Kernel Flaws, Buffer Overflows, Insufficient Input Validation, Symbolic Links, File Descriptor Attacks, Race Conditions, and Incorrect File and Directory Permissions” (NIST SP 800-115, p. 4-5). Network misconfigurations are a common source of network security vulnerabilities. Key configuration mistakes include missing security patches (around 95% of cyber attacks exploit known vulnerabilities), default credentials (leaving default usernames and passwords unconfigured for databases, installations and devices), easy and reused passwords, turned off logging, insecure services or protocols (FTP, Telnet, HTTP), outdated encryption protocols (SSL v2 is considered insecure and was superseded by SSL v3 in 1996), and exposed remote desktop services and default ports (implement defense in depth IA approaches).

Any external-facing device that’s connected to the internet should have layers upon layers of protection to combat attempts to gain access from simple methods like a brute-force attack. Services like Remote Desktop Protocol (RDP), a proprietary protocol developed by Microsoft, can provide administrators an interface to control computers remotely. Increasingly though, cybercriminals have taken to leveraging this exposed protocol when it’s not configured properly. (Bandos, 2019)

Implementing the principle of least privilege (through identity and access management controls; functionality vs security)

To reduce the threat exposure to an organization–secure network configuration: Develop a strategy to remove or disable unnecessary functionality from systems and to quickly patch known vulnerabilities. Implement the principle of least privilege whereby only the required functionality to each authorized user is granted. IT security should tweak access privileges to what is necessary and sufficient, that is, implement the principle of least privilege. The system should offer only the required functionality to each authorized user. For example, a web server that runs as the administrative user (root or admin) can have the privilege to remove files and users. The principle of least privilege “is widely recognized as an important design consideration in enhancing the protection of data and functionality from faults (fault tolerance) and malicious behavior (computer security).” Benefits of applying the principle include system stability, security, and ease of deployment of new apps/services (Saltzer & Schroeder, 1975).

Implementing QA (software development)/IA (network security) approaches to information security using a suitable IT governance framework

IT should emphasize a holistic audit approach to information security. IA can be understood as a structured approach to align strategic organizational objectives with information use routines to ensure information security. IA is concerned with the system processing the information flow and storage and includes rules and regulations, performance objectives and oversight, compliance and audit/governance frameworks.

Implementing defense in depth (e.g., layered security)

IT should adopt several information security tactics for defense in depth–e.g., security awareness training, installing firewalls, continuous network monitoring, access control and authentication, anti-virus encryption and VPN, server integrity, and periodic auditing.

Implementing open security and security by design frameworks/technologies

For Linus Trevor, proper security means that everyone is allowed to know and understand the design because it is secure. With many people looking at a computer code, it improves the odds that any flaws will be found sooner (Linus’s law), which could be more efficient than testing. Eric S. Raymond famously said referring to Linus’s law, “given enough eyeballs, all bugs are shallow.” Presenting the code to multiple developers with the purpose of reaching consensus about its acceptance is a simple form of software reviewing.

Abu-Shaqra, B. (2020). Technoethics and sensemaking: Risk assessment and knowledge management of ethical hacking in a sociotechnical society (2020-04-17T20:04:42Z) [Doctoral dissertation, University of Ottawa]. uO Research.

Canada’s cybersecurity threat landscape

Compliance frameworks and industry standards

Ethical AI frameworks, initiatives, and resources

Information security definition

IT governance and cybersecurity regulations

Karl Weick – sensemaking through organizing

Social engineering in ethical hacking

The GRC approach to managing cybersecurity

Back to DTI Courses