5.1 The Importance of Network Security

Information Security and Information Privacy on a Public or Private Network

In the field of cybersecurity—which is the practice of protecting systems, networks, devices, and data from online threats—information security and information privacy are not identical terms, although they are related. On one hand, information security is the practice of protecting information by mitigating information risks and vulnerabilities, which encompasses data privacy, data confidentiality, data integrity, and data availability and employs methods such as encryption, firewalls, and secure network design. Its aim is to shield both organizational and individual data from unauthorized access or tampering. In contrast, information privacy involves the right and measure of control individuals have over the collection, storage, management, and dissemination of personal information. Information privacy involves policies regarding what data are collected, how they are stored, and who has access to share information.

The two domains of information privacy and information security are not static; they are influenced by technological advancements and emerging threats. This makes continuous learning and adaptation important for anyone interested in the field. Both students and seasoned professionals need to maintain their skills and understanding to keep up with advancements in the field. This may include learning about the latest encryption methods or understanding new data privacy laws that impact the organization.

Although both information security and information privacy are equally important, they tackle different aspects of data protection. Think of information security as a bouncer at a club. Its job is to keep unwanted guests out, so it uses tools such as encryption to hide the important data, firewalls to block unauthorized entry, and secure networks to chase away any intruders. Information privacy, then, is more like getting access to the VIP room inside that club. It manages who gets in, who sees what, and what goes on inside. Imagine you have a list of the criteria for who can access the VIP room. When you’re not updating it, you keep it locked in a special drawer that only you have the key to, thus keeping the contents private. But privacy also includes making sure unauthorized people do not know who is on that list, or even that it exists.

In short, information security is about guarding the perimeter and protecting your assets, while information privacy is about managing access and keeping sensitive data private. Both are essential, but they play different roles in keeping your digital world safe. At the core of both information security and information privacy is a foundational model in cybersecurity that ensures information is protected and readily available to authorized users, called the confidentiality, integrity, and availability (CIA) triad (Figure 5.2).

Figure 5.2 The confidentiality, integrity, and availability (CIA) triad is the cornerstone framework for information security that aids in promoting the security and reliability of information systems. (attribution: Copyright Rice University, OpenStax, under CC BY 4.0 license)

The CIA triad is the backbone for creating cybersecurity systems, aiming to strike a balance between keeping things secure and ensuring that the people who are authorized to access the data and systems have access to it. As the name implies, the CIA triad is divided into three domains:

1. The measures that are meant to prevent sensitive information from being accessed by bad actors or by those users who have not been granted access is called confidentiality. The intent is to keep data in the correct hands and away from those who want to cause harm or exploit information for nefarious purposes. Additionally, confidentiality addresses policies involving human error, such as users not keeping strong passwords, failing to secure sensitive information when not in use, and falling prey to scammers. Scams often involve phishing, which is a type of social engineering attack that appears as a trustworthy entity in digital communication but steals user data, such as login credentials and financial information. Two means of applying confidentiality to an IT system are encryption and access controls.
2. Preserving the fidelity of data over its life cycle is called integrity. Any alteration to database tables, user records, or other data can be very damaging, often causing legal ramifications or loss of operations. Two means of maintaining the integrity of data are hashing and digital signatures.
   • The process of converting data into a fixed-size string of characters, typically used for security purposes to ensure data integrity, is called hashing. Hashing can verify the authenticity of a file by assigning a hash algorithm, such as Secure Hashing Algorithm 256 (SHA-256) that has a 64-character hexadecimal hash value assigned to the file by the algorithm. This results in a hash of characters that represent every point of data in the file, bit by bit. Even the smallest change in the file results in a drastically different chain of characters.
   • An electronic signature that uses cryptographic techniques to provide authentication and ensure the integrity of the signed digital document or message is a digital signature. They are used in online documents such as emails, bank documents, and online forms, and employ the public key infrastructure (PKI) to protect the confidentiality and integrity of data during transit. This method works by supplying a public and private key to each user transmitting information. Aside from protecting the confidentiality and integrity of data during transit, this framework helps to verify the authenticity of a file and its sender.
3. Ensuring that authorized users can access resources such as networks, databases, and other systems is called availability. This part of the triad often encompasses disaster recovery and response plans. There are several ways to maintain availability, such as keeping up with upgrades on equipment and software, maintaining backups in case of an attack or system failure, and ensuring that redundant systems are in place to protect the IT system.

Think about the CIA triad like this: Imagine you have a personal diary, and you want to make sure nobody else can read it. When you’re writing in it, you want to be able to access it easily, but when you put it away, you want to feel confident that no one else can access it.

Storing your diary in a safe when you’re not using it is a way of keeping it confidential. You could also put a seal on it, so if someone does try to tamper with it, you’ll know; that’s maintaining its integrity. Keeping the safe somewhere close, so you can get to your diary whenever you need it ensures that it is always available to you. This way, you’ve covered all the bases of the CIA triad.

Key Principles and Concepts of Network Security

In the complex world of cybersecurity, it is important for everyone to understand the foundational principles of the threats to digital security and the ways to safeguard digital assets. Whether you are a student, a new employee, or a boardroom executive, having a firm grasp on the key principles can help protect you from digital harm.

Imagine you’re setting up a home network. You notice that your devices receive different IP addresses from time to time. This is because many IP addresses are dynamic, changing with each connection. Now, visualize managing a large corporate network where stability and reliability are critical. Here, a company can use a static IP address, which is a permanent address assigned by an administrator that remains the same over time and is essential for services such as hosting servers, email servers, and network devices, or when remote access is required.

The consistency of a static IP address allows for reliable and straightforward network management, as well as easier implementation of security measures because the address can be precisely identified and controlled. Static IP addresses are used primarily for servers and network equipment. A dynamic IP address is one that is assigned each time a device connects to the internet and changes periodically, although not necessarily every time the device connects. This type of IP addressing is commonly used in residential and small business settings, where internet service providers (ISPs) assign these addresses to customers, and in larger companies for their client machines. Dynamic IP addressing is highly efficient for ISPs as it allows for the reuse and reallocation of a limited pool of IP addresses, optimizing the use of the IP address space, especially given the vast number of devices connecting and disconnecting from the internet.

The Internet Protocol version 4 (IPv4) is the fourth version of the fundamental protocol used for identifying devices on a network and routing data between them over the internet. It consists of four 8-bit groups that make up 32 bits total. In any given IP address under the IPv4 system, the range cannot exceed 256 in any 8-bit group; however, due to system limitations, addresses normally range from 0 to 255. The Internet Protocol version 6 (IPv6) has eight hexadecimal groups that allow up to 128 bits. There are many differences between these standards. For example, IPv6 can supply more security and a nearly limitless number of IP addresses (7.9 × 10²⁸). IPv6 is more secure than IPv4 because it was designed with built-in support for Internet Protocol Security (IPsec), which is a suite of protocols that provides end-to-end encryption and secure data exchange. Additionally, its massive address space allows for more efficient address allocation, reducing the risks of IP conflicts and improving overall network reliability.

Both IPv4 and IPv6 addresses often come accompanied by a subnet mask, which is an address used in routing and network organization that divides the IP address into network and host addresses. One method for allocating IP addresses is classless inter-domain routing (CIDR), which routes IP packets more efficiently than traditional classful IP addressing. CIDR is a key element of the IPv4 addressing method, as it increases efficiency and security by permitting the “borrowing” of bits of information to create a new range of IP addresses to form a subnet, which is a logically visible subdivision of an IP network. The subnet mask and CIDR help in segregating the network portion of an IP address from the host portion. This segregation is important for routing and for defining network boundaries, as it permits for the proper distribution of information and traffic to the intended recipient.

Another vital aspect of IP addressing is the way these addresses are allocated and managed. IPv4 addresses were developed in 1981 and were initially distributed in an erratic manner, leading to inefficient use of the address space. In contrast, IPv6 addresses are allocated based on a more hierarchical and organized structure, allowing for easier management and better security protocols. This process is managed by several organizations globally, such as the Internet Assigned Numbers Authority (IANA) and the five Regional Internet Registries (RIRs), ensuring a standardized approach to address allocation.

The Domain Name System (DNS) translates human-readable domain names to IP addresses, allowing users to access websites using familiar names. Essentially, it acts like a directory of the internet. This process is fundamental to web navigation, as it makes it possible for people to access information online without needing to remember complex numeric addresses. Just like a contact list keeps numbers, a DNS keeps IP addresses. Also, just like a contact list, these numbers must be updated frequently as people and equipment change. Figure 5.3 depicts how a DNS matches the client’s computer (i.e., IP address) to an organization’s website. While DNS is integral to web navigation, it can be exploited for malicious purposes, such as DNS spoofing, an attack where hackers corrupt DNS servers to redirect traffic to another server or website.

Figure 5.3 A DNS helps to identify and align the correct IP address to the URL. (attribution: Copyright Rice University, OpenStax, under CC BY 4.0 license)

It is crucial to implement DNS security measures to mitigate vulnerabilities. One way is to use Domain Name System Security Extensions (DNSSEC), a suite of extensions that add security by enabling DNS responses to be digitally signed and verified. This verification process helps in safeguarding against DNS spoofing and other types of DNS-based attacks. Furthermore, securing DNS resolvers with threat intelligence that prevents users from accidentally visiting sites that could compromise their security can also help block known malicious domains. Implementing these advanced DNS security measures is increasingly considered best practice in both professional and consumer settings. One type of threat DNSSECs can prevent is those involving DNS spoofing, such as a man-in-the-middle (MitM) attack, which is one that manipulates the DNS to redirect a website’s traffic to a different IP address, often controlled by the attacker. This allows the attacker to intercept and potentially modify the communication between the user and the intended website.

Another fundamental concept in network and information security is encryption, which transforms legible data into a coded format, making it unreadable to unauthorized entities. The encrypted data can only be converted back into its original format, a process called decryption, with the proper cryptographic key, which is a string of data used by encryption algorithms to encrypt and decrypt data. Encryption is particularly effective for safeguarding sensitive information during transmission or storage, making it an important tool for protecting data privacy and integrity.

The two most common types of encryption are symmetric and asymmetric. With symmetric encryption, the same key encrypts and decrypts the data. This approach can quickly and easily handle a lot of data all at once. The tricky part, though, is that both parties need to have the key, and sharing it securely can be challenging. In asymmetric encryption, also known as public-key cryptography, a public and a private key secure the connection. This eliminates the need to securely share a key, but it is slower than symmetric encryption. Each type of encryption serves specific use cases: symmetric is often used for data at rest, and asymmetric for data in transit. Asymmetric encryption is used in Secure Sockets Layer (SSL), a communication protocol that establishes a secure connection between devices or applications on a network by encrypting data sent between a browser and a website or between two servers, and Transport Layer Security (TLS), an updated version of SSL that uses an encrypted tunnel to protect data sent between a browser, a website, and the website’s server. TLS prevents unauthorized access to messages and protects against hackers hijacking connections. The standard symmetric encryption algorithm used globally to secure data, known for its speed and security, is advanced encryption standard (AES), while RSA encryption is a commonly used asymmetric cryptographic algorithm used for secure data transmission that is particularly useful in public-key cryptography.

The mechanism of authentication is the process of verifying the identity of a user, application, or device trying to access a network or system, often through credentials such as passwords or digital certificates. This can range from simple methods such as username and password combinations to more sophisticated techniques involving multi factor authentication (MFA), which is a security measure that requires users to verify their identity using multiple forms of credentials, such as a password, a security token, or biometric data, to access a system. MFA might require something you know (password), something you have (a mobile device for a token), and something you are (biometrics such as a fingerprint). Proper authentication methods are vital to ensuring that only authorized personnel have access to sensitive data and systems. However, if mismanaged, they could also become a massive security risk, such as if someone gained access to your biometric data to imitate your likeness.

Other key components in network security include firewalls, intrusion detection systems (IDSs), and virtual private networks. A virtual private network (VPN) is a service that creates a secure, encrypted connection over a less secure network, typically the internet, ensuring private data remains protected. A firewall is a network security system that uses security rules to monitor and control incoming and outgoing traffic, typically between a trusted network and an untrusted entity (such as local area networks or the internet). Intrusion detection systems (IDSs) are more advanced in their capability, as they use pattern detection. Firewalls are mostly a preventive measure, whereas IDSs are a detective measure. IDSs can watch network traffic to detect anomalies that could be a security breach. VPNs, on the other hand, are network configurations that can supply a secure virtual tunnel for data transmission, often used for establishing secure remote access to a network. Think of a VPN as a private, secure, virtual tunnel through the internet. This tube ensures that no one can intercept or access the data during its journey. Similarly, a VPN encrypts your internet connection, creating a secure tunnel that protects your data from hackers, spies, and other potential threats, ensuring that your online activities remain private and secure. Together, these technologies form the foundational layers of a comprehensive network security architecture, each serving a specific role but collectively contributing to the robustness of the entire system.

Network Vulnerabilities and Threats

Network vulnerabilities and threats are critical issues that impact the security posture of any organization. Weak configurations, outdated software, and lax security policies often make networks susceptible to a range of malicious activities. Understanding these vulnerabilities is a fundamental step in fortifying a network’s defenses.

Types of Network Vulnerabilities

When it comes to network security, software vulnerabilities often serve as an open door for attackers. A software vulnerability is a weakness or flaw within a software system, particularly in outdated or unpatched systems, that can be exploited by cybercriminals to gain unauthorized access or to disrupt the software’s normal functioning. Outdated software and unpatched systems are particularly risky because they may have known flaws that have not been addressed, making them a target for cybercriminals. Imagine your software as a building: If everyone knows there is a broken lock on one of the doors, it is only a matter of time before an unauthorized individual enters. Therefore, keeping software up to date is essential.

Several new vulnerabilities have been introduced into the digital world with the advent of artificial intelligence (AI), the branch of computer science focused on creating intelligent machines capable of performing tasks that typically require human intelligence, such as visual perception, speech recognition, decision-making, and language translation. One beneficial use of AI is to generate complex passwords. However, the technology can also be used in damaging ways. For example, computer-generated voices have increased robocalls, causing excess cell network traffic, and have been used by attackers to exploit and steal money from victims in social engineering attacks. Attackers have also used this same technology to crack passwords through brute-force attacks.

Link to Learning

In early 2024, the Federal Communications Commission (FCC) made it illegal for companies to use AI-generated voices in robocalls. Read their press release related to voice cloning technology to learn more about how companies use the technology and why the FCC has made it illegal.

Software updates not only provide new features and improve system performance, they also often deliver critical patches that resolve these vulnerabilities. Cybersecurity demands continuous monitoring and control from a proactive and reactive perspective. Unpatched systems may function normally, which can lead to a false sense of security. Breaches of such systems can compromise the entire network’s integrity. The risks include unauthorized data access, identity theft, or even denial of service attacks that can bring business operations to a halt. By understanding the risks posed by software vulnerabilities, organizations can make educated decisions about how to protect their network assets effectively.

Hardware Vulnerabilities

Hardware vulnerabilities can be just as dangerous as software vulnerabilities, but they are often overlooked. A hardware vulnerability is a weakness or flaw within the physical components of a network, such as routers or IoT devices. For example, unsecured routers and other networking devices can be weak points in an organization’s cybersecurity defenses. Imagine a router that’s still using the default password or is not properly configured; it becomes an easy target for cyberattacks. While it may seem trivial, the hardware that connects your network to the outside world should be as secure as the information it is supporting.

Issues can also arise with IoT devices. These gadgets, such as smart thermostats and smart coffee makers, are increasingly popular but are not always designed with security in mind. Even in an environment where computer systems are well protected, these seemingly harmless devices can be weak points for cyber threats. Without robust security measures, such as strong passwords and regular firmware updates, IoT devices can be manipulated to spy on an organization or serve as a launch pad for broader network attacks. Recognizing these hardware vulnerabilities is the first step toward developing a more comprehensive approach to network security.

Configuration Issues

Poor configuration can be a significant threat to security. Default settings on hardware and software are especially dangerous because they often turn into easy entry points for cybercriminals. For instance, leaving administrative credentials at their factory settings can provide an all-access pass into sensitive systems, compromising the entire network’s integrity. Similarly, poorly configured firewalls can be likened to having a state-of-the-art lock but leaving the key under the mat. Even advanced intrusion detection systems become largely ineffective if the firewall rules are not appropriately configured to filter malicious or unnecessary traffic. Poor configurations can lead to unauthorized access, data leaks, and theft of sensitive information.

Real-world incidents have underscored these risks. In 2017, the WannaCry ransomware attack exploited a vulnerability that could have been mitigated with proper security configurations.⁵ The malicious software that encrypts users’ files such as photos, documents, or other sensitive information and demands a ransom for their release is called ransomware. The WannaCry ransomware attack exploited a vulnerability in Microsoft Windows known as “EternalBlue,” which allowed the attack to spread across networks, encrypting files along the way (Figure 5.4). Microsoft published a fix for the vulnerability; however, many organizations were slow to make the update, which ultimately resulted in organizations losing billions of dollars. Additionally, numerous data breaches have occurred due to misconfigured cloud storage solutions, exposing sensitive customer data to the public.⁶ These incidents serve as cautionary tales, highlighting the need for mindfulness in system and network configurations.

Figure 5.4 Ransomware such as Eternal Blue is malware that encrypts a user’s files and demands payment in return for the decryption key. (credit: “Petya (malware)” by Petya/Wikimedia Commons, Public Domain)

Ensuring proper configuration is not just a task for the IT department but requires an organization-wide commitment to adhering to the best practices in cybersecurity. Properly configured settings are the first line of defense in a multilayered security approach, and lapses in this area can have catastrophic implications for any organization.

Types of Network Threats

As we navigate our day-to-day online activities at work, school, or home, there are multiple threats that we must mitigate for our safety. Threats from natural disasters and storms can disable a network, and threats from an external attacker can result in loss of operations or theft. Moreover, an internal threat that originates from within an organization can result in sabotage, data loss, or network compromise. There are three types of network threats: environmental, external, and internal, as Figure 5.5 illustrates.

Figure 5.5 Network threats typically fall into three categories: environmental, external, and internal. (attribution: Copyright Rice University, OpenStax, under CC BY 4.0 license; credit top left: modification of work “Noun storm 2616921” by Uswatun Hasanah/Wikimedia Commons, CC BY 4.0; credit top middle: modification of work “Noun Project 469419 Run Icon” by Gregor Cresnar/Wikimedia Commons, CC BY 3.0; credit top right: modification of work “Noun frustration Luis 163554” by Luis Prado/Wikimedia Commons, CC BY 4.0; credit bottom left: modification of work “API - The Noun Project” by “Five by Five”/Wikimedia Commons, CC0 1.0; credit bottom middle: modification of work “Noun Project problems icon 2417098” by “Template, TH”/Wikimedia Commons, CC BY 3.0; credit bottom right: modification of work “Noun confused 274449” by Ben Davis/Wikimedia Commons, CC BY 4.0)

Environmental and External Threats

An environmental threat in cybersecurity is an uncontrollable external factor such as a natural disaster or hardware failure that can damage data centers and disrupt business operations. These threats often get overshadowed by the dramatic nature of hacker attacks and internal espionage, yet their impact can be equally catastrophic. For instance, natural disasters such as earthquakes, floods, or hurricanes can severely damage data centers that host critical information and applications. The inability to access or recover this data not only interrupts business operations, but can also have legal and reputational ramifications. Moreover, as these calamities are beyond human control, they are particularly difficult to mitigate. In recent years, the increasing frequency of extreme weather events attributed to climate change has escalated this environmental risk, necessitating an urgent review and adaptation of existing disaster recovery and business continuity plans.⁷

Another common environmental threat is hardware failure. Servers, storage systems, and networking equipment can wear out over time. Without proper monitoring and maintenance, these failures can cause data loss or service interruptions. Unlike natural disasters, hardware failures are often preventable through regular inspections, timely upgrades, and redundancy systems. Many organizations employ real-time monitoring tools that alert them to potential hardware issues before they escalate into full-blown failures. Nonetheless, the commonplace nature of these threats should not lead to complacency; both natural disasters and hardware failures require strategic planning, investment in robust infrastructure, and ongoing vigilance to ensure organizational resilience.

An external threat in this context refers to a threat that originates from outside an organization, typically posed by cybercriminals or state-sponsored attackers who aim to exploit vulnerabilities for financial or strategic gain. Cybercriminals often appear as resourceful yet malicious actors who continually refine their tactics to evade detection and maximize their gains. Various methods, such as phishing schemes, malware deployment, and ransomware attacks, are among their preferred tools. These individuals or groups are not the only external threats, however; state-sponsored attacks present an even more daunting challenge. Orchestrated by nations aiming to steal critical information or disrupt infrastructures, these attacks benefit from considerable resources and advanced capabilities, turning cybersecurity into a complex game of geopolitics.⁸

Understanding the techniques of these external threats is necessary for developing effective defensive measures. For example, a common method used by cybercriminals is social engineering, which involves manipulating employees into revealing sensitive information, often leading to unauthorized system access. At the other end of the spectrum, state-sponsored attacks might employ highly sophisticated methods such as advanced persistent threats (APTs) to gain and maintain long-term access to target networks. These types of threats can include software such as a rootkit or malware. A rootkit enables attackers to have access to a system by masquerading as operating system processes, and malware is malicious software designed to damage, exploit, or infect systems, or otherwise compromise data, devices, users, or networks, using viruses, worms, and spyware that is installed into the basic input-output system (BIOS) of a computer. While cybercriminals are motivated primarily by financial gains, state-sponsored actors often have a more complex agenda, which could include espionage, destabilization, or strategic advantage. This complexity demands a full understanding, not just of the technological aspects of these threats, but also of the political dimensions that underlie them.

Internal Threats

An internal threat is one that originates from within an organization, such as disgruntled employees or poor security training for employees resulting in social engineering attacks. In cybersecurity, internal threats are particularly tricky because they relate to the risk of someone inside a company using their access to systems to cause damage or steal data. While organizations spend a lot on protecting their assets from external hackers, the risks from within can be just as damaging. Disgruntled employees, for instance, already have access to the organization’s network and thus can bypass one of the organization’s first lines of defense. As the motivations of such people can range from revenge to financial gain, they function as unpredictable actors within the cybersecurity landscape. To further complicate matters, insider threats may not even be intentionally malicious; they could simply be employees who unknowingly compromise security through poor practices, such as using weak passwords or falling victim to phishing scams.

Understanding the risks from internal threats means thinking beyond just technical fixes. The human factor is an important factor. Organizations must create a workplace where employees feel comfortable talking about their concerns. This can help reduce the chances of anyone becoming disgruntled. Simultaneously, companies must implement robust monitoring systems to identify unusual activity that could signal an internal threat. By recognizing the multifaceted nature of internal threats, organizations can develop a holistic strategy that integrates technological, psychological, and administrative measures to safeguard their assets.

Future Technology

The Future of Cyberattacks

Emerging technologies such as quantum computing and AI pose novel threats that organizations must prepare for. Quantum computing, a method of computing that uses qubits (a measurement of four states as opposed to two), with its unparalleled computational speed, has the potential to break existing encryption algorithms, rendering most current data protection measures obsolete. Initiatives such as post-quantum cryptography are in the works to counter this impending threat, but widespread adoption and implementation remain a challenge.

Alternatively, AI-driven cyberattacks are becoming increasingly sophisticated. Advanced machine learning algorithms can quickly analyze network vulnerabilities and execute complex attacks with little to no human intervention. Moreover, these algorithms can adapt and learn from each cyberattack, making them more effective with each iteration. This intensifies the need for cybersecurity measures to evolve in tandem, incorporating AI-driven threat detection and response systems that can match the capabilities of next-generation threats. Therefore, staying abreast of these future trends is not just advisable; it is imperative for long-term security resilience.