My info blog
🌙
NCC computing

Network Security and Cryptography - Theory

date
Jun 1, 2023
slug
network-security-and-cryptography
author
status
Public
tags
theory
summary
type
Post
thumbnail
category
NCC computing
updatedAt
Jun 12, 2023 02:12 PM
 
Wireless networksWireless network securityGeneral Security OptionsWLAN Access Control Wired equivalent privacyWEP Encryption (presumably referring to Wired Equivalent Privacy, a security protocol for wireless networks)WEP Encryption KeysOpen System AuthenticationShared Key AuthenticationWEP WeaknessesWi-Fi Protected Access (WPA)Question 1:a)Based on the details provided in the scenario, here are two methods that can be used to improve password-based authentication on the new online flight booking website:b) Describe general approaches you will recommend to ensure that the company’s wireless network is secured and limited only to staff with authorised access. [10 marks]Question 2 – 25 Marks(a) Based on the details and information provided in the scenario:Describe TWO (2) methods that could have been used to prevent the hackers' activities on the company’s network and systems before the ransomware attack.a) Describe TWO (2) wholly private and encrypted methods that can be recommended to secure travel tickets sent to passengers by the customer service advisor.Question 3a) Describe TWO (2) methods that can be used to protect copies of all passengers’ personal information and tickets on the customer service computer and Network-attached storage (NAS).b)🔥 Packet Inspection Firewall in DMZ:Question 4a) Here's how it works:🔒 Appropriate VPN Type for the Scenario:b) 🔒 Differences and Implications of URLs starting with HTTP:// and HTTPS://:✅ Steps to Ensure Website Uses HTTPS:// When Back Online:
 

Wireless networks

  • has a number of wireless-enabled devices connected to an access point
  • Each access point connects to a wider network
    • Home wireless network: maybe the internet
    • Business wireless network: typically a LAN
  • A wireless network is less secure than LAN
 

Wireless network security

  • A broadcast network exists between access points and devices.
  • The Boundary of the network is limited by signal strength
  • Signals are often received outside of the building in which the network is housed.
  • Access to the network must be restricted
  • Transmission must be encrypted
 

General Security Options

 
  • Access to the access point is restricted in closed networks (at home or at an organization).
  • Because there are no access limitations in open, public networks, the network is isolated from all other networks that require a degree of security.
  • End-to-end encryption can be used to safeguard communication in mixed wireless networks.
 

WLAN Access Control

  • The IEEE 802.11 WLAN standard was ratified by the IEEE in 1997.
  • Access to the access point (AP) can be regulated.
  • Only authorized devices are permitted to connect to the AP.
  • One method is to filter Media Access Control (MAC) addresses.
 

Wired equivalent privacy

  • 802.11's original security component
  • The goal is for only authorized parties to be able to see wirelessly transmitted data.
  • Encryption is used to protect traffic.
  • Designed to provide effective and moderately robust security
  • It has a number of security issues and has been surpassed by Wi-Fi Protected Access (WPA).
 

WEP Encryption (presumably referring to Wired Equivalent Privacy, a security protocol for wireless networks)

  • Uses the RC4 stream cipher for confidentiality
  • Uses the CRC-32 checksum for integrity
  • Secret keys can be 64 or 128 bits long
  • Some vendors do supply 256-bit key version
  • Can hold up to four shared secret keys
  • One key is designated as the default key
  • Key size is one of the security limitations in WEP
 

WEP Encryption Keys

  • A 64-bit WEP key has a 40-bit key (10 hexadecimal characters) plus a 24-bit initialization vector (IV)
  • A 128-bit WEP key has a 104-bit key (26 hexadecimal characters) plus a 24-bit IV
  • An IV is a continuously changing value used in combination with a secret key to encrypt data
  • Prevents sequences of identical text from producing the same exact ciphertext when encrypted
 

Open System Authentication

  • The client device, such as a laptop, does not offer authentication to the Access Point. Any wireless-enabled device within range of the Access Point can authenticate with it.
  • As a result, no true authentication happens.
  • WEP encryption keys are used on wireless networks to encrypt data frames.
  • At this stage, the client must have the necessary keys.
 

Shared Key Authentication

A five-step handshake procedure is as follows:
  1. Client authentication request to Access Point
  1. Access Point responds with a challenge in plain language.
  1. The client encrypts the challenge text using the WEP key.
  1. In response to another authentication request, the client transmits encrypted text.
  1. If the response matches the challenge text, AP (Access Point) provides a good response.
 
  • Following authentication, the WEP key is used for RC4 encryption.
  • Open System authentication is more secure than Shared Key authentication.
  • Capturing the challenge frames yields the key needed for the handshake.
  • Both authentication procedures are ineffective.
 

WEP Weaknesses

  • The 24-bit IV is too short and eventually repeats
    • there is a 50% chance that the same IV will recur after 5000 packets.
  • Packets can be replayed, allowing the access point to broadcast Ivs.
  • WEP may be broken in a matter of minutes with the appropriate tools.
 

Wi-Fi Protected Access (WPA)

 

Question 1:

a)

one-way hash function is like a secret math code for passwords. It turns passwords into unique codes that can't be reversed. This keeps passenger credentials safe on the flight booking website. The codes make it hard for hackers to get into user accounts and protect their information.

Based on the details provided in the scenario, here are two methods that can be used to improve password-based authentication on the new online flight booking website:

🔒 Password Complexity Requirements: Set strong password rules like minimum lengthuppercase/lowercase lettersnumbers, and special characters to make passwords harder to crack.
🔒 Multi-Factor Authentication (MFA): Add an extra layer of security by requiring additional verification, such as a unique code or fingerprint scan, along with the password. MFA reduces the risk of unauthorised access, even if passwords are compromised.

b) Describe general approaches you will recommend to ensure that the company’s wireless network is secured and limited only to staff with authorised access. [10 marks]

  1. 🔒Using Strong Passwords for Wi-Fi AccessSet a strong and unique password for the wireless network. It should combine uppercase and lowercase lettersnumbers, and special charactersAvoid using default passwords that are easy to guess.
  1. 🔄Regularly Updating Firmware and Security PatchesKeep the wireless network devices updated with the latest firmware and security patches. This helps address any known vulnerabilities and ensures the network remains secure.

Question 2 – 25 Marks

(a) Based on the details and information provided in the scenario:

  1. 🔄Check with Microsoft Security Bulletins: Microsoft regularly releases security bulletins and advisories that detail vulnerabilities and their corresponding patchesVisit the Microsoft Security Bulletin website and search for the specific vulnerability to see if a patch has been released.
  1. 🖥️Use Vulnerability Scanning Tools: Employ vulnerability scanning tools to scan the network and identify unpatched systems. These tools check for known vulnerabilitiesincluding the specific Microsoft vulnerabilityExamples of popular vulnerability scanning tools include Nessus, OpenVAS, and QualysGuard.

Describe TWO (2) methods that could have been used to prevent the hackers' activities on the company’s network and systems before the ransomware attack.

🔒 Network SegmentationDividing the network into smaller segments limits hackers' movement and reduces the impact of a breach.
🔒 Regular Patching and UpdatesApplying security patches and updates promptly helps close known vulnerabilities and reduces the risk of exploitation.

a) Describe TWO (2) wholly private and encrypted methods that can be recommended to secure travel tickets sent to passengers by the customer service advisor.

🔒 End-to-End Encryption: Use end-to-end encryption to secure travel tickets from the customer service advisor to the passengers. Only the intended recipient can decrypt and access the ticketsApplications like Signal and WhatsApp use this encryption method.
🔒 Secure File Transfer: Use secure protocols like SFTP or secure email gateways to transfer travel tickets securely. SFTP encrypts file transfers, while secure email gateways protect email attachmentsensuring ticket confidentiality during transit.

Question 3

a) Describe TWO (2) methods that can be used to protect copies of all passengers’ personal information and tickets on the customer service computer and Network-attached storage (NAS).

🔒 Data Encryption: Encrypting personal information and tickets adds an extra layer of protection. Tools like BitLocker or VeraCrypt can convert the data into a secure and unreadable formatensuring confidentiality even if unauthorised access occurs.
🔒 Access Control and Authentication: Implementing access control measuresstrong passwords, and MFA restricts access to authorised personnel onlyMFA adds an extra verification step, such as a unique codeenhancing security and preventing unauthorised access.

b)🔥 Packet Inspection Firewall in DMZ:

Here's how it works:
  1. Traffic Filtering: The packet inspection firewall analyses each packet of data passing through it. It examines the packet's header and payload to determine its sourcedestination, and content.
  1. Access Control: The firewall allows or blocks packets from entering or leaving the DMZ based on predefined rules. It can enforce policies like permitting web traffic while blocking unauthorised protocols or suspicious traffic.
  1. Stateful Inspection: The firewall maintains a state table that keeps track of active connections. It verifies that incoming packets belong to an established session and checks if they comply with the expected network behaviour.
  1. Network Address Translation(NAT): The firewall can perform Network Address Translation, which hides internal IP addresses by replacing them with the firewall's public IP address. This adds an extra layer of security and privacy.
  1. Intrusion Detection and Prevention: Some packet inspection firewalls include intrusion detection and prevention capabilities. They monitor network traffic for known attack patterns and malicious activitiesalerting or blocking them to prevent potential threats.
✖ Limitations of Packet Inspection Firewalls:
1. Encrypted TrafficPacket inspection firewalls struggle to inspect encrypted traffic, such as data sent over HTTPS. They cannot decrypt the payloadlimiting their visibility into potential threats within encrypted communication.
2. Advanced ThreatsPacket inspection firewalls rely on signature-based detectionmaking them less effective against zero-day attacks and sophisticated malware that doesn't match known signaturesAdvanced threats can evade detection.
3. Performance ImpactDeep packet inspection adds overhead and can impact network performanceespecially with large traffic volumesChoosing a firewall that can handle the expected load without causing significant latency is important.
4. False Positives and NegativesPacket inspection firewalls may generate false positives (flagging harmless traffic as malicious) or false negatives (failing to detect actual threats). Regular fine-tuning and updates are needed to minimise these occurrences.

Question 4

a) Here's how it works:

  1. Encryption: VPNs use encryption to secure data transmissionensuring confidentiality and preventing unauthorised access.
  1. Tunnelling: VPNs create a secure tunnel through the internetprotecting data from interception and tampering.
  1. Authentication: Users must provide valid credentials to establish a VPN connection, ensuring only authorised individuals can access the NAS.
  1. IP Spoofing Protection: VPNs guard against IP spoofingpreventing unauthorized users from impersonating authorized users.
  1. Secure Access to Local Network: VPNs enable secure access to other resources on the internal network, facilitating remote work.

🔒 Appropriate VPN Type for the Scenario:

1. Ease of Use: SSL/TLS VPNs are user-friendly and accessible through web browsersrequiring no additional software or complex configurations.
2. Compatibility: SSL/TLS VPNs work on various operating systemsensuring flexibility for the customer service advisor regardless of their device.
3. Security: SSL/TLS VPNs provide strong security measures, including encryptiondata integrity verification, and client authenticationprotecting data confidentiality and integrity.
4. Portability: SSL/TLS VPNs operate over standard HTTPS portsallowing traffic to pass through most network configurations without complicated setups.
5. Remote Access: SSL/TLS VPNs enable secure remote accessallowing the customer service advisor to connect to the NAS from anywhere with internet access.
6. Scalability: SSL/TLS VPNs can handle multiple connections, making them suitable for organisations with many users needing remote access.

b) 🔒 Differences and Implications of URLs starting with HTTP:// and HTTPS://:

1. Data EncryptionHTTP transmits data in plain text, while HTTPS encrypts the dataprotecting it from interception.
2. Data Integrity: HTTP lacks data integrity checks, but HTTPS ensures that the data remains unchanged during transmission.
3. Authentication and TrustHTTPS uses digital certificates to authenticate websites and establish trustreducing therisk of impersonation.
4. Sensitive Data Protection: HTTPS encrypts sensitive information, such as passwords and credit card detailspreventing interception and theft.
5. Search Engine RankingHTTPS websites receive a ranking boost and are seen as more trustworthy by search engines like Google.

✅ Steps to Ensure Website Uses HTTPS:// When Back Online:

  1. Obtain an SSL/TLS CertificateGet a certificate to enable HTTPS and encrypt data transmission.
  1. Install the CertificateConfigure the webserver to use the certificate for secure connections.
  1. Update Website URLs: Ensure all internal linksimagesscripts, and resources use HTTPS.
  1. Implement Redirects: Set up automatic redirects from HTTP to HTTPS for a smooth transition.
  1. Test and VerifyThoroughly test the website to ensure proper functionality over HTTPS.
  1. Update External Links: Contact website owners to update external links to HTTPS.
  1. Monitor and MaintainRegularly check certificate validity, apply security patches, and enforce HTTPS on all pages.