all right. Our next lesson is going to talk about network security. Talk a little bit about what we mean by security on the network and specifically what we is in juicers conduce. Because a lot of times we say, Well, that's the network King's responsibility but has always there things that we can do to promote security.
Why do we care? Well, we'll look at some of the attacks that are specifically network based, whether their denial of service attacks or others, and also we're gonna talk about why we're vulnerable.
We'll do that on the very first chapter and, of course, talk about what we can do and the biggest reason that we're vulnerable Network security, if you really think about it, is an oxymoron. The two terms air opposite. Why do we network? What is networking about? It's about sharing. Let me make this available. I have this cool stuff. I want you to have it. Here it is.
Security is about preventing access, so what we have to do is we have to walk a fine line between allowing authorized users to access what they need to access while preventing unauthorized users. When your purpose is availability
that makes security very challenging. And every organization has different priorities.
You know, you can look it operating systems throughout the years there. Many different operating systems, of course. Windows, Lennox, UNIX, the Apple's operating systems as well.
Uh, some of them are much more geared towards usability user friendliness. Others air then, or designed to be more secure. So
part of the reason is just the very nature of sharing through the network. The big focus when we talk about next network security is protecting data in transit.
So if you think about data that I have it can, it can be in three different states. Data could be a rest on your local system, right? You've stored a file in your car drive. It resides on your hard drive. So what can you do to protect it there?
Well, I can encrypt the files. I can physically protect my system that protects data at rest.
The next thing that we have is data in process. So while you're working on a file and it's loaded into memory, that's data in process. That's actually the hardest to protect because you're working with it, its dynamic very difficult to secure data in process.
But what we're concerned with in this particular chapter is data in transit moving files from one location to the next.
Exchanging email data commands whatever that is across the network, so primarily focused on data in transit. And when we think about security for Dad and transit, three main things we've got to consider, and we often refer to this as the C I A. Triad in security,
and it stands for confidentiality,
integrity and availability. And those were really the three tenants of security confidentiality. Let's keep our secrets secret.
Integrity says we need to be able to detect modification of files. If something's been changed in transit, we want to know about it.
Changes could be from corruption, or they could be intentional modifications as well,
then availability. I want timely access to resource is when I need to access a file. I want to be able to access it when I want to get to a website. I don't want it to take three and 1/2 minutes to load, because if your website takes three and 1/2 minutes to load, I've already spent my money somewhere else, right?
So we have to provide those timely access is access to resources.
And there are many attacks that focus on these ideas. Certainly something to keep in mind, man in the middle attacks. Ah, man in the middle attack can be passive, meaning I'm not really doing anything. I'm just watching.
And if I'm watching traffic on the network specifically, if I'm analyzing traffic on the network, we refer to that as sniffing. Okay, any traffic that's on the network unencrypted is susceptible to sniffing.
It's actually fairly easy task. As long as you have the right tools, you may have heard of wire shark at some point comedy you haven't doesn't matter. Basically, what that tool allows me to do is capture traffic on the network and look at it. And if things were going across the network in plain text, I can see character by character. I see everything.
So when Dad is in transit, we have to really think about encrypting and protecting it.
Also, we have an obligation to protect the resource is of our organization of our company and by following best practices. We're really doing our part there now
when we talk about attacks to a new organization. From a technical standpoint, network attacks. Um,
people are lobbing attacks at your network. And if things were configured right, you'll never know about them because you've got firewalls and intrusion detection systems and access control lists and routers and all these things toe limit that attack. And that's exactly how we want it as network technicians. It's when something gets through all of our defenses
that suddenly everybody's aware of the different types of threats that are out there.
Hey, I mentioned eavesdropping on data being transferred on the network denial of service attacks. I think I talk about worms in an earlier chapter and a worm. All it takes is one system on that network to be infected, and that worm will bounce from system to system the system until it's eradicated.
You could do a lot of damage with a worm
because I don't require all the users on the network to perform an action. It just takes one, right?
All right, other things. When we have a confidentiality breach, perhaps it's personal information of my customers. Maybe I'm legally liable for that. Or maybe the data breach we have to come forward with it, and I you know, when I come to the press and say,
Yeah, we just had a 20 million account compromise
that doesn't exactly inspire confidence in our stakeholders and our customers So often security breaches do lose our lead to a lack of confidence and a drop in customers. A loss of revenue? Don't forget. Also, we may open ourselves up to a liability as well,
because our systems could be compromised in such a way that they would attack others,
others on our internal network or others down the line. Others in another network again, that's a distributed denial of service attack. We would be used a zombies. In that case,
why would be vulnerable, You know? Surely, in this day in age, we've got it right. We get security. We know the threats were good.
Unfortunately, that's not the case, and as a matter of fact, we're really very frequently still committing the same stakes that we've always created. And one of the inherent problems or difficulties with network security is most mechanisms are designed toe work,
not toe work securely, and that's a huge problem.
What if you bought a door that had no lock like your front door.
Does that sound like a good idea?
Now here's my front door. You can open it and you can close it, but there's no law.
I don't think that's a good idea. Now, couldn't I add on a walk? Yeah,
but any time you add security on rather than building it into the product, you're not really you're not providing the same degree of security. A friend of mine says security should be baked in, not sprayed on.
And I think that's a really good idea.
For instance, for those of you that know a little bit about protocols, protocols are the set of rules about how computers communicate. We would have to share a protocol if we weren't communicating.
And the most common protocol in use today is called T. C P I p. And specifically we think a lot about I P. And I'm not gonna go into nerd land here talking about protocols. But I do just want to talk about I p just for second to kind of convey this point. Um, I p Internet protocol.
It's the protocol off the Internet.
And yet, when I ask what built in security secures I p.
The answer is nothing.
There would get this protocol designed to transfer information across the Internet. Not one bit of security is inherent. Toe i p.
So we just throw up our hands and we say What? Why? Well, think about when I pee was designed and created. I p has been around long before Al Gore discovered the Internet. I p comes from the sixties, when the government designed I p to transfer information across secured physical links.
So if I have a physical link, that's a very, very secure. I don't have to worry about securing the protocol, or at least that's the thought. So a lot of times, what we had is thes protocols that have been around for a long time are given new life and new function, but they're still unsecure.
If any of your familiar with I p version six, you may have heard of that. You may know that we're going to I p Version 61 of these days. I p version six. The big push to move toe I P version six should be because the protocol is inherently secure, not saying it's foolproof,
but it has a built in security. We prefer security to be built in
to our systems, to our protocols, to our facilities. You know, that's not a concept that's just technical. Think about some of the buildings you've been in, you know, think about a stairwell that's just concrete steps all the way down these corners that are blind and you walk around that you have no idea what's going on.
maybe of a stairwell with mass steps and you can see all the way down. And there's a mirror at every corner so you can see what's going on behind you. It's well with their windows, even in the stairwell. There are things we can do in the design of a building of a protocol of an application of an operating system
that enhanced security.
So security is often thought of as an afterthought. Yeah, absolutely. You know, we asked the question, Does it work and then doesn't work securely. That's part of the reason that we're vulnerable. You know, another thing. Think about if any of you, through college or anywhere along the way,
if you've ever had to sit through an introduction to programming class
and I know, a lot of people out there have is just a part of their general education.
The question I would like to ask for those of you that have set through this class. I would love to know how much of that particular class was devoted to writing secure code.
And I think I can pretty much assume the answer is going to be zero, because I asked this question to a lot of people, and I have never heard anything other than zero North had been my experience. We're not teaching people to think securely now. I agree. That's outside of your hands. My hands.
Uh, you know, I'm I'm not an application developer. I don't need Thio bucket up and write secure coat.
But the reason I stress this is I want you to understand, you know, sometimes we think will surely it's secure. They're letting us use it on the network. And surely it's secure. It's the protocol of the Internet. Absolutely not. We take nothing for granted. So what do we do? You know, we've got some options.
Follow company policy, report anything suspicious. We've talked about those. The next slide really has some good ideas as well
Using secure Protocols.
Http. What Security is in http. Nothing.
So what do we do? We use http s what's the S stand for? Secure. And it uses a mechanism called T l s, which is transport layer security. Or you may have heard of S S L. You know, again, it doesn't matter those air protocols you don't have to be aware of. But the bottom line is, when you're
transmitting data across the Internet or to a Web server,
you want to use https whenever possible. Also, um,
protect your system physically, next chapter or two, we're gonna talk about physical security and how to protect things. But again, don't focus so much on technical ideas that you forget the common sense physical things
to your system or to the network without express permission from your network team from the security team or whoever's the decision maker in that, you know, I've got this thumb drive. I just want to bring it in and connect it down, you know, copy of file. Over.
There's no telling what kind of garbage resides on that thumb drive
that you don't know about it. Thumb drives are just havens for malicious stuff, and honestly, I mean, it's just a device, but it's a very easy way to spread viruses and worms. As a matter of fact, many organizations that are secure in nature are just gonna disallow thumb drives anyway. But don't bring stuff in from home.
Home is a different environment. We don't have the firewalls and and the same degree of any virus software. Perhaps we don't have the thoroughness of inspection, so it's very easy for us to have something that's infected at home. Bring it in, put it in our system. And now we've infected our work computer. We don't want that to happen.
Scan all files before you download them.
You've got an anti virus program almost assuredly on your systems. Use it. You've got a file you wanna download. Usually it's just a matter of a right click on the file or accessing your anti virus program. Make sure you're not bringing garbage into the network.
Don't download files unless you feel like the site that, from what you're downloading, is reliable and is authentic.
There are a 1,000,000 different sites out of there. Click here and all of this can be yours. Be very suspicious, very suspicious. Encrypt email Again. Male uses a couple of different protocols. SMTP
pop three I'm at Those are just some protocols that we used to exchange mail.
Not one of those is secure.
Well, how about instant messaging? Not secure?
Most of the protocols that we see in and of themselves are unsecure.
That's why, in the applications that we have, we have the capability of encrypting. We have the capability of digital signing. And honestly, it's pretty much just a common practice for me to encrypt most information that I send on my company's network and the digitally sign it just because
I I want to be in that habit of protecting what I transmit. Now again, it really depends on company policy what information I have, But I always feel like it's better to be safe than not. I want people to know if they get something that purports to be for me, but it isn't because they're used to getting messages from me that air digitally signed.
So I just like the implement good policies.
Um, something else that's not necessarily 100% tickets in the networking But I did also want to mention standard fax machines.
Fax machines are kind of going the way of the dinosaur as they should. They are inherently unsecured now. I'm not saying there aren't a 1,000,000 faxes in a 1,000,000 companies right now, but our mindsets really shifting away from those. There's no built in security to a fax. You know, it's one of those few service is that I use,
and I get a confirmation that everything worked. And I still have that sinking feeling in my stomach that it's out there in limbo and sometimes it ISS, you know, often I get that confirmation. I'll call and say, Did you receive it? Maybe not. Well, you know, So maybe have sent it to the wrong location. That's fine,
but I'm transmitting it in plain text.
It's usually going somewhere where it sits in a bin. Anybody can pick that file up
just because of facts purports to come from me. There's no way to walk, communicate that
faxes air a good way to distribute spam because you really can't guarantee the origin of these faxes have a lot of problems. And if there's another better way to send information, I would absolutely choose it, you know, scanning a file and then sending in his email.
Well, when you do that, you get all the security benefits,
like encryption and digital signatures that you would have with email. So if you could do that, I would strongly recommend it. Some network security Best practices in crypt Your data in transit
Provide physical security for your host system For your desktop or laptop computers. Try to use those secure protocols whenever possible. Follow company policy. Don't leave a system unprotected. Make sure that any breach doesn't go unreported and anything suspicious. Make sure you report.