ASSIGNMENT 1 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security
Submission date Date Received 1st submission
Re-submission Date Date Received 2nd submission
Student Name LÊ MINH KHANG Student ID GCS190749

Class GCS0903B Assessor name

Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Grading grid
P1 P2 P3 P4 M1 M2 D1
❒ Summative Feedback: ❒ Resubmission Feedback:

Grade: Assessor Signature: Date:

Lecturer Signature:
 Assignment Brief 1 (RQF)
Higher National Certificate/Diploma in Computing

Student Name/ID Number:

Unit Number and Title: Unit 5: Security
Academic Year: 2021 – 2022
Unit Assessor: Van Ho
Assignment Title: Security Presentation
Issue Date: April 1st, 2021
Submission Date:
Internal Verifier Name:
Date:

Submission Format:

Format:
● The submission is in the form of an individual written report. This should be written in a concise,
formal business style using single spacing and font size 12. You are required to make use of
headings, paragraphs and subsections as appropriate, and all work must be supported with
research and referenced using the Harvard referencing system. Please also provide a bibliography
using the Harvard referencing system.
Submission
● Students are compulsory to submit the assignment in due date and in a way requested by the
Tutor.
● The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/.
● Remember to convert the word file into PDF file before the submission on CMS.
Note:
● The individual Assignment must be your own work, and not copied by or from another student.
● If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you
must reference your sources, using the Harvard style.
 ● Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply
this requirement will result in a failed assignment.

Unit Learning Outcomes:

Task 1 - Identify types of security threat to organisations. Give an example of a recently publicized
security breach and discuss its consequences (P1)
To answer this section, follow each of the steps below:
1. Define threats

A security threat is a malicious act that aims to corrupt or steal data or disrupt an organization's
systems or the entire organization. A security event refers to an occurrence during which company
data or its network may have been exposed. And an event that results in a data or network breach is
called a security incident.
 As cybersecurity threats continue to evolve and become more sophisticated, enterprise IT must
remain vigilant when it comes to protecting their data and networks. To do that, they first have to
understand the types of security threats they're up against.

2. Identify threats agents to organizations

Threat Agents:

Nation States
Those companies that operate in certain sectors, e.g. telecoms, oil & gas, mining, power
generation, national infrastructure etc., may find themselves a target for foreign nations either to
disrupt operations now, or to give that nation a future hold in times of adversity.

We have heard many examples of this from the alleged Russian interference with the US
Presidential elections, to Sony claiming that North Korea had been responsible for their sites being
hacked in 2014 and more recently the concerns about Huawei providing 5G networks because of
the possibility of them passing information to the Chinese government.

Non-target specific:
(Ransomware, Worms, Trojans, Logic Bombs, Backdoors and Viruses perpetrated by vandals and
the general public).
There are so many times that companies have said to me “Oh we’re not going to be a target for
hackers because….” But the number of random attacks that are going on every day is so vast (there
are no accurate statistics on this to share here) that every and any organisation can become a
victim.

The most famous example of a non-target specific attack is the WannaCry ransomware incident
that affected over 200,000 computers in 150 countries. In the UK it shut down the NHS for several
days. And, of course, there is the bored teenager in a loft somewhere just trolling the internet to
find a weak link.

Employees and Contractors:

Machines and software programmes are quite good at protecting against malware, unless it is a
Zero-day virus. It is humans that are often the weakest link in the security system, either
maliciously or accidentally.

Common mistakes such as sending an email to the wrong person happen but usually we realise the
mistake quickly and are able to rectify the situation. Simple measures such as password protecting
files can also help to mitigate the effects of such mistakes.

However unfortunately there are also disgruntled people out there who purposefully harm
organisations from the inside. Recently Morrisons supermarket faced a case where a disgruntled
internal auditor downloaded payroll and other HR personal data and published it on the internet.
The ex-employee was convicted and sent to prison, but Morrisons was also fined because it did not
have the proper technical and organisational measures in place to prevent this act (note that
Morrisons is currently appealing against the fine).

There are also times when organisations need specialist help and so engage contractors, or external
agencies, who need some access to their systems, or data. It is often these third parties that can
cause a problem because they may not have the same levels of security on their devices that have
access to the controller’s data.

Terrorists and Hacktivists:

 (political parties, media, enthusiasts, activists, vandals, general public, extremists, religious
followers)
Rather like the threat caused by nation states, it does depend on your activities as to the level of
threat these agents pose. However some terrorists look to target certain industries or countries so
there could be a persistent threat of a random attack against you.

Perhaps the most famous example of this would be the Wikileaks revelations in 2010 publishing
over diplomatic cables and other documents relating to the conflict in Iraq and Afghanistan.

Organised crime:
 (local, national, transnational, specialist)
Criminals are targeting personal data for a number of different reasons; credit card fraud, identity
theft, bank account fraud and so on. These crimes are now being perpetrated on an industrial scale.
Methodologies vary from phishing attacks to ‘Watering Hole’ websites, but the end result is the
same; you and your data are being extracted and used for nefarious means.

According to the Credit Industry Fraud Avoidance (Cifas) 2018 Fraudscape report, the number of
identity frauds increased once again in 2017, with almost 175,000 cases recorded. Although this
was only a 1% increase compared with 2016, it’s a 125% increase compared with 10 years ago and
95% of these cases involved the impersonation of an innocent victim.

Natural disasters:
 (fire, flood, earthquake, volcano)
Whilst not a cyber attack, these events can have the same net effect to your ability to do business.
If you cannot access your offices, data centres, or files stored on the cloud, then you are still
experiencing a data disaster, and this must be taken into account. In the UK the threat of
earthquake is very low, but every year we see pictures of a town or city under water.

Corporates:
 (competitors, partners)
The threat from a competitor stealing your intellectual property is obvious, but we are increasingly
working with many partner organisations to fill gaps in skills and resources, or simply to provide
services. These partner companies may steal, or reveal, your intellectual property, or the personal
data you are storing, either unwittingly, or maliciously, depending on their motives.

Perhaps the example that exemplifies how partner organisations can be the cause of a breach is the
attack on the US retailer Target in 2013. The hackers targeted (excuse the pun!!) suppliers and
found a weak link with an HVAC contractor, Fazio Mechanical. By sending a phishing email to a
Fazio employee, the hackers were eventually able to access Target’s point-of-sale systems.  This
gave them access to up to 40 million credit and debit cards of shoppers who had visited its stores
during the 2013 holiday season. This has cost Target over $200m.
3. List type of threats that organizations will face

1. Insider threats

An insider threat occurs when individuals close to an organization who have authorized access to
its network intentionally or unintentionally misuse that access to negatively affect the
organization's critical data or systems.

Careless employees who don't comply with their organizations' business rules and policies cause
insider threats. For example, they may inadvertently email customer data to external parties, click
on phishing links in emails or share their login information with others. Contractors, business
partners and third-party vendors are the source of other insider threats.

Some insiders intentionally bypass security measures out of convenience or ill-considered attempts
to become more productive. Malicious insiders intentionally elude cybersecurity protocols to
delete data, steal data to sell or exploit later, disrupt operations or otherwise harm the business.

Preventing insider threats

The list of things organizations can do to minimize the risks associated with insider threats include
the following:

 limit employees' access to only the specific resources they need to do their jobs;

 train new employees and contractors on security awareness before allowing them to
access the network. Incorporate information about unintentional and malicious insider
threat awareness into regular security training;

 set up contractors and other freelancers with temporary accounts that expire on specific
dates, such as the dates their contracts end;
  implement two-factor authentication, which requires each user to provide a second
piece of identifying information in addition to a password; and

 install employee monitoring software to help reduce the risk of data breaches and the
theft of intellectual property by identifying careless, disgruntled or malicious insiders.

Your Editable Incident Response Plan (IRP) Template

Use this as starting point for developing an IRP for your company's needs.

2. Viruses and worms

Viruses and worms are malicious software programs (malware) aimed at destroying an
organization's systems, data and network. A computer virus is a malicious code that replicates by
copying itself to another program, system or host file. It remains dormant until someone knowingly
or inadvertently activates it, spreading the infection without the knowledge or permission of a user
or system administration.

A computer worm is a self-replicating program that doesn't have to copy itself to a host program or
require human interaction to spread. Its main function is to infect other computers while remaining
active on the infected system. Worms often spread using parts of an operating system that are
automatic and invisible to the user. Once a worm enters a system, it immediately starts replicating
itself, infecting computers and networks that aren't adequately protected.
Preventing viruses and worms

To reduce the risk of these types of information security threats caused by viruses or worms,
companies should install antivirus and antimalware software on all their systems and networked
devices and keep that software up to date. In addition, organizations must train users not to
download attachments or click on links in emails from unknown senders and to avoid downloading
free software from untrusted websites. Users should also be very cautious when they use P2P file
sharing services and they shouldn't click on ads, particularly ads from unfamiliar brands and
websites.

3. Botnets

A botnet is a collection of Internet-connected devices, including PCs, mobile devices, servers

and IoT devices that are infected and remotely controlled by a common type of malware.
Typically, the botnet malware searches for vulnerable devices across the internet. The goal of the
threat actor creating a botnet is to infect as many connected devices as possible, using the
computing power and resources of those devices for automated tasks that generally remain hidden
to the users of the devices. The threat actors -- often cybercriminals -- that control these botnets use
them to send email spam, engage in click fraud campaigns and generate malicious traffic for
distributed denial-of-service attacks.
Preventing botnets

Organizations have several ways to prevent botnet infections:

 monitor network performance and activity to detect any irregular network behavior;

 keep the operating system up to date;

 keep all software up-to-date and install any necessary security patches;

 educate users not to engage in any activity that puts them at risk of bot infections or
other malware, including opening emails or messages, downloading attachments or
clicking links from unfamiliar sources; and

 implement antibotnet tools that find and block bot viruses. In addition, most firewalls
and antivirus software include basic tools to detect, prevent and remove botnets.
4. Drive-by download attacks

In a drive-by download attack, malicious code is downloaded from a website via a browser,
application or integrated operating system without a user's permission or knowledge. A user
doesn't have to click on anything to activate the download. Just accessing or browsing a website
can start a download. Cybercriminals can use drive-by downloads to inject banking Trojans, steal
and collect personal information as well as introduce exploit kits or other malware to endpoints.

Preventing drive-by download attacks

One of the best ways a company can prevent drive-by download attacks is to regularly update and
patch systems with the latest versions of software, applications, browsers, and operating systems.
Users should also be warned to stay away from insecure websites. Installing security software that
actively scans websites can help protect endpoints from drive-by downloads.

5. Phishing attacks

Phishing attacks are a type of information security threat that employs social engineering to trick
users into breaking normal security practices and giving up confidential information, including
names, addresses, login credentials, Social Security numbers, credit card information and other
financial information. In most cases, hackers send out fake emails that look as if they're coming
from legitimate sources, such as financial institutions, eBay, PayPal -- and even friends and
colleagues.

In phishing attacks, hackers attempt to get users to take some recommended action, such as
clicking on links in emails that take them to fraudulent websites that ask for personal information
or install malware on their devices. Opening attachments in emails can also install malware on
users' devices that are designed to harvest sensitive information, send out emails to their contacts
or provide remote access to their devices.

Preventing phishing attacks

Enterprises should train users not to download attachments or click on links in emails from
unknown senders and avoid downloading free software from untrusted websites.

6. Distributed denial-of-service (DDoS) attacks

In a distributed denial-of-service (DDoS) attack, multiple compromised machines attack a target,

such as a server, website or other network resource, making the target totally inoperable. The flood
of connection requests, incoming messages or malformed packets forces the target system to slow
down or to crash and shut down, denying service to legitimate users or systems.

Preventing DDoS attacks

To help prevent DDoS attacks, companies should take these steps:

 Implement technology to monitor networks visually and know how much bandwidth a

site uses on average. DDoS attacks offer visual clues so administrators who understand
the normal behaviors of their networks will be better able to catch these attacks.

 Ensure servers have the capacity to handle heavy traffic spikes and the necessary
mitigation tools necessary to address security problems.

 Update and patch firewalls and network security programs.

 Set up protocols outlining the steps to take in the event of a DDoS attack occurring.

7. Ransomware

In a ransomware attack, the victim's computer is locked, typically by encryption, which keeps the
victim from using the device or data that's stored on it. To regain access to the device or data, the
victim has to pay the hacker a ransom, typically in a virtual currency such as Bitcoin. Ransomware
can be spread via malicious email attachments, infected software apps, infected external storage
devices and compromised websites.
 You've been hacked

Preventing ransomware

To protect against ransomware attacks, users should regularly back up their computing devices and
update all software, including antivirus software. Users should avoid clicking on links in emails or
opening email attachments from unknown sources. Victims should do everything possible to avoid
paying ransom. Organizations should also couple a traditional firewall that blocks unauthorized
access to computers or networks with a program that filters web content and focuses on sites that
may introduce malware. In addition, limit the data a cybercriminal can access by segregating the
network into distinct zones, each of which requires different credentials.

8. Exploit kits

An exploit kit is a programming tool that enables a person without any experience writing software
code to create, customize and distribute malware. Exploit kits are known by a variety of names,
including infection kit, crimeware kit, DIY attack kit and malware toolkit. Cybercriminals use
these toolkits to attack system vulnerabilities to distribute malware or engage in other malicious
activities, such as stealing corporate data, launching denial of service attacks or building botnets.

Preventing exploit kits

To guard against exploit kits, an organization should deploy antimalware software as well as a
security program that continually evaluates if its security controls are effective and provide
protection against attacks. Enterprises should also install antiphishing tools because many exploit
kits use phishing or compromised websites to penetrate the network.

9. Advanced persistent threat attacks

An advanced persistent threat (APT) is a targeted cyberattack in which an unauthorized intruder

penetrates a network and remains undetected for an extended period of time. Rather than causing
damage to a system or network, the goal of an APT attack is to monitor network activity and steal
information to gain access, including exploit kits and malware. Cybercriminals typically use APT
attacks to target high-value targets, such as large enterprises and nation-states, stealing data over a
long period.

Preventing APT attacks

Detecting anomalies in outbound data may be the best way for system administrators to determine
if their networks have been targeted.

Indicators of APTs include the following:

 unusual activity on user accounts;

 extensive use of backdoor Trojan horse malware, a method that enables APTs to
maintain access;

 odd database activity, such as a sudden increase in database operations involving

massive amounts of data; and

 the presence of unusual data files, possibly indicating that data that has been bundled
into files to assist in the exfiltration process.
To combat this type of information security threat, an organization should also deploy a software,
hardware or cloud firewall to guard against APT attacks. Organizations can also use a web
application firewall to detect and prevent attacks coming from web applications by inspecting
HTTP traffic.

10. Malvertising

Malvertising is a technique cybercriminals use to inject malicious code into legitimate online
advertising networks and web pages. This code typically redirects users to malicious websites or
installs malware on their computers or mobile devices. Users' machines may get infected even if
they don't click on anything to start the download. Cybercriminals may use malvertising to deploy
a variety of moneymaking malware, including cryptomining scripts, ransomware and banking
Trojans.

Some of the websites of well-known companies, including Spotify, The New York Times and the
London Stock Exchange, have inadvertently displayed malicious ads, putting users at risk.

Preventing malvertising

To prevent malvertising, ad networks should add validation; this reduces the chances a user could
be compromised. Validation could include: Vetting prospective customers by requiring legal
business paperwork; two-factor authentication; scanning potential ads for malicious content before
publishing an ad; or possibly converting Flash ads to animated gifs or other types of content.

To mitigate malvertising attacks, web hosts should periodically check their websites from an
unpatched system and monitor that system to detect any malicious activity. The web hosts should
disable any malicious ads.

To reduce the risk of malvertising attacks, enterprise security teams should be sure to keep
software and patches up to date as well as install network antimalware tools.
4. What are the recent security breaches? List and give examples with dates. Discuss the
consequences of this breach

There are many security breaches, so I will list and give some examples with dates. I knew it
throuh the internet.

1. CAM4 data breach

Date: March 2020

Impact: 10.88 billion records.

Adult video streaming website CAM4 has had its Elasticsearch server breached exposing over 10
billion records.
The breached records included the following sensitive information:

 Full names

 Email addresses

 Sexual orientation 

 Chat transcripts

 Email correspondence transcripts

 Password hashes

 IP addresses

 Payment logs

Many of the exposed email addresses are linked to cloud storage services. If hackers were to
launch successful phishing attacks on these users, they could gain deeper access to personal photos
and business information.

Due to the licentious connection of the breached database, compromised users could fall victim to
blackmail and defamation attempts for many years to come.

2. Twitch data breach

Date: October 2021

Impact: 7 million users (potentially)

Twitch, an Amazon-owned company, suffered a breach of almost its entire code base. The exact
impact of the incidents hasn’t been confirmed, but given its depth of compromise, it has the
potential of impacting all of Twitch’s users.

125GB of sensitive data was posted via a torrent link on the anonymous forum 4chan.

The sensitive data leaks include:

 The entirety of Twitch’s source code.

 Three years of payout reports for creators (including high-profile creators.

 All of Twitch’s properties (including IGDB and CurseForge).

 Code related to proprietary SDKs and internal AWS services used by Twitch.

 The identity of an unreleased steam competitor from Amazon Game Studios - “Vapor”

 Twitch’s internal ‘red teaming tools’, used by internal security teams for cyberattack
training exercises.
Though Twitch admitted in its statement that a subset of creator payout data was also accessed, the
company assures that credit card number and bank information was not compromised.

The security vulnerability that made the breach possible was a server configuration change
permitting unauthorized access by third parties. This has now been remediated.

Most cybercriminals post stolen data for sale after a breach, but the unidentified cybercriminal -
who was likely using a proxy server - was not interested in monetary gain. Instead, their objective
was to call a mass disruption to punch Twitch for fostering a toxic community of users.

3. SolarWinds data breach

Date: March 2020

Impact: 18,000 businesses

In March 2020, nation-state hackers believed to be from Russian, compromised a DLL filelinked

to software update for the Orion platform by SolarWinds. The supply chain attackimpacted up to
18,000 SolarWinds customers including six U.S Government departments. The attack wasn’t
discovered until December 2020.
 This incident was the impetus to Joe Biden's Cybersecurity Executive Order that now enforces all
organizations to strengthen their supply chain security efforts

The highly sophisticated hackers are believed to also be responsible for the FireEye
cyberattack resulting in the theft of its Red Team Assessment tools - a set of tools developed by
FireEye to discover cyberattack vulnerabilities within any organizations.

Given that FireEye’s clientbase includes government entities, it is further speculated that these Red
Team Assessment tools made the U.S. Government data breach possible - an attack labeled by
cyber security experts as the biggest breach in the nation’s security history. 

The list of victims continues to grow. To check if you've been impacted, you should perform a
thorough risk assessment for each vendor.

 Suggest solutions to orgazations.

Below, we discuss six solidly proven ways to prevent cyber security breaches from
occurring at your company.

o Limit access to your most valuable data. ... 

o Third-party vendors must comply. ... 

o Conduct employee security awareness training. ... 

o Update software regularly. ... 

o Develop a cyber breach response plan.

Task 2 - Describe at least 3 organisational security procedures (P2)
To answer this section, you need to mention and discuss 3 security procedures that an organization uses to
improve or provide organizations security.
(Word limit: 500 – 750 words)

What are Security Procedures?

Security procedures are detailed step-by-step instructions on how to implement, enable, or enforce
security controls as enumerated from your organization’s security policies. Security procedures should
cover the multitude of hardware and software components supporting your business processes as well as
any security related business processes themselves (e.g. onboarding of a new employee and assignment of
access privileges).

Below are some policies for security procedures examples:

 Acceptable Use Policy (AUP)

An AUP stipulates the constraints and practices that an employee using organizational IT assets must
agree to in order to access to the corporate network or the internet. It is standard on boarding policy for
new employees. They are given an AUP to read and sign before being granted a network ID. It is
recommended that and organizations IT, security, legal and HR departments discuss what is included in
this policy.

 Access Control Policy (ACP)

The ACP outlines the access available to employees in regards to an organization’s data and information
systems. Some topics that are typically included in the policy are access control standards such
as NIST’s Access Control and Implementation Guides. Other items covered in this policy are standards for
user access, network access controls, operating system software controls and the complexity of corporate
passwords. Additional supplementary items often outlined include methods for monitoring how corporate
systems are accessed and used; how unattended workstations should be secured; and how access is
removed when an employee leaves the organization.

 Change Management Policy

A change management policy refers to a formal process for making changes to IT, software development
and security services/operations. The goal of a change management program is to increase the awareness
and understanding of proposed changes across an organization, and to ensure that all changes are
conducted methodically to minimize any adverse impact on services and customers.
Task 3 - Identify the potential impact to IT security of incorrect configuration of firewall policies
and IDS (P3)
To answer this section, follow each of the steps below:
1. Discuss briefly firewalls and policies, their usage and advantages in a network

Firewall defined

A firewall is a security device — computer hardware or software — that can help protect your network
by filtering traffic and blocking outsiders from gaining unauthorized access to the private data on your
computer.
Not only does a firewall block unwanted traffic, it can also help block malicious software from
infecting your computer.
Firewalls can provide different levels of protection. The key is determining how much protection you
need.
The topics below can help you learn what firewalls do and determine the level of protection that will
help keep your computer and the data on it safe and secure.z
Top 5 Firewall Benefits

Understanding the benefits of firewall security is the first step in helping your business grow safely
in the ever-changing digital age. Even if your business only relies on technology and networks for
a small piece of your operations, it is still equally important that you take proactive steps to keep
things protected. Firewalls serve as a first line of defense to external threats, malware, and hackers
trying to gain access to your data and systems.

o Monitors Network Traffic

All of the benefits of firewall security start with the ability to monitor network traffic. Data coming
in and out of your systems creates opportunities for threats to compromise your operations. By
monitoring and analyzing network traffic, firewalls leverage preestablished rules and filters to keep
your systems protected. With a well-trained IT team, you can manage your levels of protection
based on what you see coming in and out through your firewall.

o Stops Virus Attacks

Nothing can shut your digital operations down faster and harder than a virus attack. With hundreds
of thousands of new threats developed every single day, it is vital that you put the defenses in place
to keep your systems healthy. One of the most visible benefits of firewalls is the ability to control
your system's entry points and stop virus attacks. The cost of damage from a virus attack on your
systems could be immeasurably high, depending on the type of virus.
 o Prevents Hacking

Unfortunately, the trend of businesses moving more toward digital operations invites thieves and
bad actors to do the same. With the rise of data theft and criminals holding systems hostage,
firewalls have become even more important, as they prevent hackers from gaining unauthorized
access to your data, emails, systems, and more. A firewall can stop a hacker completely or deter
them to choose an easier target. 

o Stops Spyware

In a data-driven world, a much-needed benefit is stopping spyware from gaining access and getting

into your systems. As systems become more complex and robust, the entry points criminals can
use to gain access to your systems also increase. One of the most common ways unwanted people
gain access is by employing spyware and malware—programs designed to infiltrate your systems,
control your computers, and steal your data. Firewalls serve as an important blockade against these
malicious programs. 

o Promotes Privacy

An overarching benefit is the promotion of privacy. By proactively working to keep your data and
your customers' data safe, you build an environment of privacy that your clients can trust. No one
likes their data stolen, especially when it is clear that steps could have been taken to prevent the
intrusion. 

Additionally, upgraded data-protection systems can be a competitive advantage and a selling point
to customers and clients. The benefit increases the more sensitive the data your company deals
with.

2. How does a firewall provide security to a network?

A firewall is a system that provides network security by filtering incoming and outgoing network
traffic based on a set of user-defined rules. In general, the purpose of a firewall is to reduce or
eliminate the occurrence of unwanted network communications while allowing all legitimate
communication to flow freely. In most server infrastructures, firewalls provide an essential layer of
security that, combined with other measures, prevent attackers from accessing your servers in
malicious ways.

This guide will discuss how firewalls work, with a focus on stateful software firewalls, such as
iptables and FirewallD, as they relate to cloud servers. We’ll start with a brief explanation of TCP
packets and the different types of firewalls.
TCP Network Packets

Before discussing the different types of firewalls, let’s take a quick look at what Transport Control
Protocol (TCP) network traffic looks like.

TCP network traffic moves around a network in packets, which are containers that consist of a
packet header—this contains control information such as source and destination addresses, and
packet sequence information—and the data (also known as a payload). While the control
information in each packet helps to ensure that its associated data gets delivered properly, the
elements it contains also provides firewalls a variety of ways to match packets against firewall
rules.

It is important to note that successfully receiving incoming TCP packets requires the receiver to
send outgoing acknowledgment packets back to the sender. The combination of the control
information in the incoming and outgoing packets can be used to determine the connection state
(e.g. new, established, related) of between the sender and receiver.

Types of Firewalls

Let’s quickly discuss the three basic types of network firewalls: packet filtering (stateless), stateful,
and application layer.

Packet filtering, or stateless, firewalls work by inspecting individual packets in isolation. As such,
they are unaware of connection state and can only allow or deny packets based on individual
packet headers.

Stateful firewalls are able to determine the connection state of packets, which makes them much
more flexible than stateless firewalls. They work by collecting related packets until the connection
state can be determined before any firewall rules are applied to the traffic.

Application firewalls go one step further by analyzing the data being transmitted, which allows
network traffic to be matched against firewall rules that are specific to individual services or
applications. These are also known as proxy-based firewalls.

In addition to firewall software, which is available on all modern operating systems, firewall
functionality can also be provided by hardware devices, such as routers or firewall appliances.
Again, our discussion will be focused on stateful software firewalls that run on the servers that
they are intended to protect.

Firewall Rules

As mentioned above, network traffic that traverses a firewall is matched against rules to determine
if it should be allowed through or not. An easy way to explain what firewall rules looks like is to
 show a few examples, so we’ll do that now.

Suppose you have a server with this list of firewall rules that apply to incoming traffic:

1. Accept new and established incoming traffic to the public network interface on port 80 and
443 (HTTP and HTTPS web traffic)
2. Drop incoming traffic from IP addresses of the non-technical employees in your office to
port 22 (SSH)
3. Accept new and established incoming traffic from your office IP range to the private
network interface on port 22 (SSH)

Note that the first word in each of these examples is either “accept”, “reject”, or “drop”. This
specifies the action that the firewall should do in the event that a piece of network traffic matches a
rule. Acceptmeans to allow the traffic through, reject means to block the traffic but reply with an
“unreachable” error, and drop means to block the traffic and send no reply. The rest of each rule
consists of the condition that each packet is matched against.

As it turns out, network traffic is matched against a list of firewall rules in a sequence, or chain,
from first to last. More specifically, once a rule is matched, the associated action is applied to the
network traffic in question. In our example, if an accounting employee attempted to establish an
SSH connection to the server they would be rejected based on rule 2, before rule 3 is even checked.
A system administrator, however, would be accepted because they would match only rule 3.

Default Policy:
It is typical for a chain of firewall rules to not explicitly cover every possible condition. For
this reason, firewall chains must always have a default policy specified, which consists
only of an action (accept, reject, or drop).
Suppose the default policy for the example chain above was set to drop. If any computer
outside of your office attempted to establish an SSH connection to the server, the traffic
would be dropped because it does not match the conditions of any rules.
If the default policy were set to accept, anyone, except your own non-technical employees,
would be able to establish a connection to any open service on your server. This would be
an example of a very poorly configured firewall because it only keeps a subset of your
employees out.

3. Show with diagrams the example of how firewall works

For example: diagram firewall works

How Does it Work?

Firewall resides at the junction or gateway b/w two networks ( i.e Private and Public Network ).
Generally, firewalls work at layer 3 and layer 4 of OSI model (i.e Network and Transport Layer
repspectively). It examines all the incoming and outgoing traffic and blocks those that do not meet
the criteria of the specified security rules ( i.e ACL ). This rule can be based on a number of things
such as :

i) IP Address

ii) Domain Names

iii) Protocols
 iv) Programs

v) Ports

vi) Key words

etc…

How an ACL looks like

Firewall has been the first line of defense in network security for over 25 years now. It filters the
incoming traffic by the rules that is configured and customised by the Network Administrator. He
decides what comes in and what goes out of the internal network. So it is a very important job. It is
essential for homes and small businesses to have a strong configured firewall on their system. It is
more important specially for the big organizations as there are a lot more servers and computers are
attached with it and firewall keeps them safe by blocking or denying the malicious traffic.

4. Define IDS, its usage, and show it with diagrams examples

For example: diagrams IDS
What is an Intrusion Detection System?

An intrusion detection system (IDS) is a device or software application that monitors a network for
malicious activity or policy violations. Any malicious activity or violation is typically reported or
collected centrally using a security information and event management system. Some IDS’s are
capable of responding to detected intrusion upon discovery. These are classified as intrusion
prevention systems (IPS).

IDS Usage in Networks

When placed at a strategic point or points within a network to monitor traffic to and from all
devices on the network, an IDS will perform an analysis of passing traffic, and match the traffic
that is passed on the subnets to the library of known attacks. Once an attack is identified, or
abnormal behavior is sensed, the alert can be sent to the administrator.

Evasion Techniques

Being aware of the techniques available to cyber criminals who are trying to breach a secure
network can help IT departments understand how IDS systems can be tricked into not missing
actionable threats:

 Fragmentation: Sending fragmented packets allow the attacker to stay under the radar,
bypassing the detection system's ability to detect the attack signature.
 Avoiding defaults: A port utilized by a protocol does not always provide an indication to
the protocol that’s being transported. If an attacker had reconfigured it to use a different
port, the IDS may not be able to detect the presence of a trojan.
 Coordinated, low-bandwidth attacks: coordinating a scan among numerous attackers, or
even allocating various ports or hosts to different attackers. This makes it difficult for the
IDS to correlate the captured packets and deduce that a network scan is in progress.
  Address spoofing/proxying: attackers can obscure the source of the attack by using poorly
secured or incorrectly configured proxy servers to bounce an attack. If the source is
spoofed and bounced by a server, it makes it very difficult to detect.
 Pattern change evasion: IDS rely on pattern matching to detect attacks. By making slight
adjust to the attack architecture, detection can be avoided.

5. Write down the potential impact (Threat-Risk) of a firewall and IDS if they are incorrectly
configured in a network

Firewall Misconfigurations Have an Impact on Business:

Firewall misconfigurations can also have a significant impact on your business. “Businesses are
trusting you to secure their data at the speed at which they’re trying to move,” he says. You don’t
want to lose that trust.

“Automation is the key to handling speed and volume with the least amount of errors,” Styles says.
Automation also helps you reduce human error, improve service levels and prevent friction.

“It’s also something you can monetize. For example, you can promote the fact that you can reduce
misconfigurations by a certain percent. So automation can definitely benefit MSPs who want to
capitalize on it,” says Styles.

Risk of a firewall when it is incorrectly configured in a network:

Crucial Policy-Level Configurations

Styles says policy-level firewall configurations are typically a business’ first line of defense. On
behalf of your clients, firewall policies allow you to enable access to applications that employees
are permitted to use, prohibit others, and block malicious traffic. Unfortunately, common firewall
misconfigurations often result in overly permissive access.
 Styles says policy-level misconfigurations can occur in a variety of ways. For example, fat-
fingering an object, designating an incorrect zone when you’re onboarding a new customer, or
mistakenly creating a rule that bypasses the egress filter.

Unfortunately, firewall misconfigurations can lead to three serious outcomes for your clients:

 Compliance violations: A properly configured firewall is necessary for businesses to

comply with PCI standards or regulations in retail, finance or healthcare. Noncompliance
leads to fines.
 Breach avenues: A firewall misconfiguration that results in unintended access can open the
door to breaches, data loss and stolen or ransomed IP.
 Unplanned outages: A misconfiguration could prevent a customer from engaging with a
business, and that downtime leads to lost revenues. For example, large e-commerce
businesses could lose thousands or even millions of dollars until the error is corrected

Task 4 - Show, using an example for each, how implementing a DMZ, static IP and NAT in a
network can improve Network Security (P4)
1. Define and discuss with the aid of diagram DMZ. Focus on its usage and security function as
advantage.

What is a DMZ in networking?

In computer networks, a DMZ, or demilitarized zone, is a physical or logical subnet that

separates a local area network (LAN) from other untrusted networks -- usually, the public
internet. DMZs are also known as perimeter networks or screened subnetworks.

Any service provided to users on the public internet should be placed in the DMZ network.
External-facing servers, resources and services are usually located there. Some of the most
common of these services include web, email, domain name system, File Transfer Protocol
and proxy servers.
 Servers and resources in the DMZ are accessible from the internet, but the rest of the
internal LAN remains unreachable. This approach provides an additional layer of security
to the LAN as it restricts a hacker's ability to directly access internal servers and data from
the internet.

Hackers and cybercriminals can reach the systems running services on DMZ servers. Those
servers must be hardened to withstand constant attack. The term DMZ comes from the
geographic buffer zone that was set up between North Korea and South Korea at the end of
the Korean War.

For example: DMZ works

DMZs function as a buffer zone between the public internet and the private network. The DMZ
subnet is deployed between two firewalls. All inbound network packets are then screened using a
firewall or other security appliance before they arrive at the servers hosted in the DMZ.

If better-prepared threat actors pass through the first firewall, they must then gain unauthorized
access to the services in the DMZ before they can do any damage. Those systems are likely to be
hardened against such attacks.

Finally, assuming well-resourced threat actors take over a system hosted in the DMZ, they must
still break through the internal firewall before they can reach sensitive enterprise resources.
Determined attackers can breach even the most secure DMZ architecture. However, a DMZ under
attack will set off alarms, giving security professionals enough warning to avert a full breach of
their organization.

Benefits of Using a DMZ

The main benefit of a DMZ is to provide an internal network with an advanced security layer by
restricting access to sensitive data and servers. A DMZ enables website visitors to obtain certain
services while providing a buffer between them and the organization’s private network. As a result,
the DMZ also offers additional security benefits, such as:

1. Enabling access control: Businesses can provide users with access to services outside the
perimeters of their network through the public internet. The DMZ enables access to these
services while implementing network segmentation to make it more difficult for an
unauthorized user to reach the private network. A DMZ may also include a proxy server,
which centralizes internal traffic flow and simplifies the monitoring and recording of that
traffic.
2. Preventing network reconnaissance: By providing a buffer between the internet and a
private network, a DMZ prevents attackers from performing the reconnaissance work they
carry out the search for potential targets. Servers within the DMZ are exposed publicly but
are offered another layer of security by a firewall that prevents an attacker from seeing
inside the internal network. Even if a DMZ system gets compromised, the internal firewall
separates the private network from the DMZ to keep it secure and make external
reconnaissance difficult.
3. Blocking Internet Protocol (IP) spoofing: Attackers attempt to find ways to gain access to
systems by spoofing an IP address and impersonating an approved device signed in to a
network. A DMZ can discover and stall such spoofing attempts as another service verifies
 the legitimacy of the IP address. The DMZ also provides network segmentation to create a
space for traffic to be organized and public services to be accessed away from the internal
private network.

Services of a DMZ include:

1. DNS servers
2. FTP servers
3. Mail servers
4. Proxy servers
5. Web servers

2. Define and discuss with the aid of diagram static IP. Focus on its usage and security function as
advantage.
For example: diagram static IP
What is an IP address?

A static IP address is simply an address that doesn't change. Once your device is assigned a static
IP address, that number typically stays the same until the device is decommissioned or your
network architecture changes. Static IP addresses generally are used by servers or other important
equipment.
Static IP addresses are assigned by Internet Service Providers (ISPs). Your ISP may or may not
allocate you a static IP address depending on the nature of your service agreement. We describe
your options a little later, but for now assume that a static IP address adds to the cost of your ISP
contract.
A static IP address may be IPv4 or IPv6; in this case the important quality is static. Some day,
every bit of networked gear we have might have a unique static IPv6 address. We're not there yet.
For now, we usually use static IPv4 addresses for permanent addresses.

Advantages of a static IP

There are numerous advantages to using a static IP address. Among these benefits are:
 Better DNS support: Static IP addresses are much easier to set up and manage with
DNS servers.
 Server hosting: If you are hosting a web server, email server, or any other kind of
server, having a static IP address makes it easier for customers to find you via DNS.
Practically speaking that means it's quicker for clients to get to your websites and
services if they have a static IP address.
 Convenient remote access: A static IP address makes it easier to work remotely
using a Virtual Private Network (VPN) or other remote access programs.
 More reliable communication: Static IP addresses make it easier to use Voice over
Internet Protocol (VoIP) for teleconferencing or other voice and video
communications.
 More reliable geo-location services: With a static IP address, services can match
the IP address with its physical location. For example, if you use a local weather
 service with a static IP address you're more likely to get the weather report you need
instead of the one for the next city over.

3. Define and discuss with the aid of diagram NAT. Focus on its usage and security function as
advantage

For example: NAT

What is Network Address Translation (NAT)?

A Network Address Translation (NAT) is the process of mapping an internet protocol (IP) address to
another by changing the header of IP packets while in transit via a router. This helps to improve security
and decrease the number of IP addresses an organization needs.
How does Network Address Translation work?
A NAT works by selecting gateways that sit between two local networks: the internal network, and the
outside network. Systems on the inside network are typically assigned IP addresses that cannot be routed
to external networks (e.g., networks in the 10.0.0.0/8 block).

A few externally valid IP addresses are assigned to the gateway. The gateway makes outbound traffic
from an inside system appear to be coming from one of the valid external addresses. It takes incoming
traffic aimed at a valid external address and sends it to the correct internal system.

This helps ensure security. Because each outgoing or incoming request must go through a translation
process that offers the opportunity to qualify or authenticate incoming streams and match them to
outgoing requests, for example.

NAT conserves the number of globally valid IP addresses a company needs and -- in combination with
Classless Inter-Domain Routing (CIDR) -- has done a lot to extend the useful life of IPv4 as a result. NAT
is described in general terms in IETF RFC 1631.

What are the Benefits of NAT?

Some benefits of NAT include:

 Reuse of private IP addresses

 Enhancing security for private networks by keeping internal addressing private from the external
network

 Connecting a large number of hosts to the global Internet using a smaller number of public
(external) IP address, thereby conserving IP address space
Reference
1. SearchSecurity. 2022. Top 10 types of information security threats for IT teams. [online] Available
at: <https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-
threats-for-IT-teams> [Accessed 10 April 2022].

2. SearchSecurity. 2022. Top 10 types of information security threats for IT teams. [online] Available
at: <https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-
threats-for-IT-teams> [Accessed 10 April 2022].

3. SearchSecurity. 2022. Top 10 types of information security threats for IT teams. [online] Available
at: <https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-
threats-for-IT-teams> [Accessed 10 April 2022].

4. Tech Support of Minnesota. 2022. 6 Ways to Prevent Cybersecurity Breaches. [online] Available
at: <https://www.techsupportofmn.com/6-ways-to-prevent-cybersecurity-breaches> [Accessed 10
April 2022].

5. Linford & Company LLP. 2022. Security Procedures & Your Overall Security Documentation
Library. [online] Available at: <https://linfordco.com/blog/security-procedures/> [Accessed 10
April 2022].

6. Privacy Ninja. 2022. 9 Policies For Security Procedures Examples. [online] Available at:
<https://www.privacy.com.sg/resources/9-rules-security-procedures-examples/> [Accessed 10
April 2022].

7. Us.norton.com. 2022. What is a firewall? Firewalls explained and why you need one. [online]
Available at: <https://us.norton.com/internetsecurity-emerging-threats-what-is-firewall.html>
[Accessed 10 April 2022].

8. Digitalocean.com. 2022. What is a Firewall and How Does It Work? | DigitalOcean. [online]

Available at: <https://www.digitalocean.com/community/tutorials/what-is-a-firewall-and-how-
does-it-work> [Accessed 10 April 2022].

9. orbit-computer-solutions.com. 2022. What is Firewall ? Explained with Examples. [online]

Available at: <https://www.orbit-computer-solutions.com/firewall-explained/> [Accessed 10 April
2022].
10. Medium. 2022. WHAT IS A FIREWALL? HOW DOES IT WORK? TYPES OF FIREWALL..
[online] Available at: <https://medium.com/@dsouzaxan/what-is-a-firewall-how-does-it-work-
types-of-firewall-db62e7a9cb97> [Accessed 10 April 2022].

11. : XaaS Journal. 2022. Why Firewall Misconfigurations Are Putting Your Clients At Risk. [online]
Available at: <https://www.xaasjournal.com/why-firewall-misconfigurations-are-putting-your-
clients-at-risk-in-2020/> [Accessed 10 April 2022].

12. SearchSecurity. 2022. What is a DMZ in Networking?. [online] Available at:

<https://www.techtarget.com/searchsecurity/definition/DMZ> [Accessed 10 April 2022].

13. Fortinet. 2022. What Is a DMZ and Why Would You Use It? | Fortinet. [online] Available at:
<https://www.fortinet.com/resources/cyberglossary/what-is-dmz> [Accessed 10 April 2022].

14. Static vs. Dynamic IP Addresses. 2022. Static vs. Dynamic IP Addresses. [online] Available at:
<https://www.avast.com/c-static-vs-dynamic-ip-addresses> [Accessed 10 April 2022].

15. SearchNetworking. 2022. What is Network Address Translation (NAT) and how does it work?.
[online] Available at: <https://www.techtarget.com/searchnetworking/definition/Network-Address-
Translation-NAT> [Accessed 10 April 2022].

16. 2022. [online] Available at:

<https://docs.microfocus.com/NNMi/10.30/Content/Administer/NNMi_Deployment/
Advanced_Configurations/What_are_the_Benefits_of.htm> [Accessed 10 April 2022].