Network Security

April 01, 2021

Network Security

We live in a golden age of technology and unfortunately, this also brings constant threats from those who are either looking to profit or cause harm for many reasons. I am going to discuss several security threats that can occur from the innocuous usage of the common ping command and I am going to be discussing both phishing and social engineering. While there are many technological threats that exist from a variety of sources it is our own selves that are the biggest threats to network security.

Ping

Ping command is a tool that allows a user to send packets to a specific IP address and in return, the information that can be gathered is how long it took to send this data and to return a response (Gavin, 2018). This tool is utilized for many reasons to diagnose connection issues as it can be used to ping your router or ping a website. There are those who have determined that sending a large number of pings continuously can result in a slowdown of the responding devices by replicating the same behavior as if a large number of users began using their website. This can cause slow-downs and even cause a server to stop responding under extreme conditions, this is known as a Denial-of-service attack (DoS) (Crelin, 2020). There are some ways in which an IT worker may prevent or mitigate such an attack through the use of firewalls or backup equipment and there are some third-party vendors who are building specialized equipment specifically to stop this kind of a threat if it is leveled at one of the companies utilizing their services (Crelin, 2020). These attacks are generally done in the use of a bot army or a host of machines that have been infected with some kind of software that allows the attacker control to send these commands en masse. Besides a technological solution, there is not much that end-user can do to protect themselves against the threat. The company IT department and their security teams will be the main players in resolving this kind of situation. There are other kinds of threats however that an end-user can be on the lookout for and yet at the same time the end-users can be the weakest link in a network’s security if they fall victim to them. These threats are phishing and social engineering and I will be discussing those next.

Phishing

Phishing is a tactic that involves utilizing some kind of communication such as email that is sent intending to trick a user into revealing information or for the use of installation of malicious software (malware) (Cooper, 2019). The emails may appear to come from a bank, a known website such as eBay or Amazon, or some other important business and some of them look convincing to those without the knowledge to see them for what they are. There are key indicators in the email though that show the hand of the attack. These tell-tale signs include misspelled words, a return email that does not go back to the domain of the website they are trying to impersonate, and these messages are generally worded in such a way to emotionally motivate someone to take action (Hadnagy & Fincher, 2015). They may say that you will lose access to your account unless you click their link right now to resolve an issue. Clicking the link could take the user to a form in which they ask for the username and password for the account, giving this information to those who are working to exploit the end-user. This can cause a loss that includes finances, identity, or even reputation. If the link takes the user to a webpage and software is installed this can give someone remote access, a back door, into a network. This can open the door to steal company information, and give them further access to network resources to do what they want. This could include further installation of additional malicious software on other devices. To circumvent phishing there needs to be training done at all levels to ensure that people know what to expect. In a business, this should be done in a routine manner and then tested through fake phishing attempts. As the problem of phishing can be completely rendered inefficient if the staff simply ignores the email. Christopher Hagnagy and Michele Fincher provide four questions in their book “Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails” that help train people to look out for phishing attempts (2015, p. 77).

Does the e-mail come from someone I know?
Was I expecting this email?
Are the requests being asked of me reasonable?
Does this e-mail employee the emotional content of fear, greed, or curiosity, or, most important, does it try to get me to take an action?

By asking these questions can help people avoid the issues around a phishing attempt and the losses that could incur otherwise. Phishing attempts skyrocketed in 2020 due to Covid-19 and the reason for this is mostly due to the number of employees working remotely. Mobile phishing attempts increased 37% between the last quarter of 2019 and the first quarter of 2020 (SonicWall, 2021). These numbers show that this is a problem that is not going away or slowing down.

Social Engineering

The act of social engineering is also known as human hacking and it refers to convincing people to release information that may be private or even proprietary in nature (MA, 2019). This information is then utilized to further some kind of a goal. This could be to gain access to locations or to gather additional information they could not get without what was handed to them. People like to be helpful and when someone comes asking for help many times our first inclination is to put ourselves out there and try to be helpful (Rankin, 2014). This desire to be assisting can be manipulated to gain this information. An example may be that someone calls a business and pretends to be the customer in order to gain information about the customer that could include home address, phone number, or transactional details. While the damage to a person or business can be of a financial nature, like phishing, the reputational damage can be done and this is one of the hardest to fix. Once a reputation is damaged it can take many months or years to regain the trust of customers and partners. Much like phishing, the mitigation of social engineering attacks needs to be done with the employees of a company or the average person. For a business, this training needs to be routine and include tactics that can be worked through by their employees, such as the use of scripts or policies that ask for some kind of verification before the information is given out. In Christopher Hadnagy and Paul Wilson’s book “Social Engineering: The Art of Human Hacking” there are six steps to take to mitigate and prevent these attempts (2011, p. 339).

Learning to identify social engineering attacks.
Creating a personal security awareness program
Creating awareness of the value of the information that is being sought by social engineers.
Keeping software updated.
Developing scripts.
Learning from social engineering audits.

While people make mistakes and errors could still occur, the purpose is to continually train the employees and ensure that they are aware of what is expected of them.

Conclusion

The types of threats on the internet are numerous and there are many different ways to combat them. Some of these may be virus scanners or malware removal tools that are built by companies such as Norton or Malwarebytes. There can be complex software running on machines to ensure updates are done on time and the operating systems are patched, yet all it can take is one mistake from an employee to cause an issue that could be costly from a variety of attack vectors. Constant, repetitive training, followed up with auditing and testing of the employees is the only way to lower the threat of phishing and social engineering. It is the human element in security that is the weakest link in a businesses’ network security strategy.