Threats to Internet Services

There are many necessary technical services required for operating an internet. The required services are routing, addressing, domain naming, and database management.  Without these services, the internet is not possible. These services of the internet are also primary targets for cybercriminals.

Cybercriminals use a different technique to capture data stream over a network. These techniques put in dangers all sensitive data, like username, password and credit card information. These techniques included botnets, DDoS, hacking, malware, pharming, phishing, ransomware, spam, DNS Spoofing, and Man-in-the-Middle. Criminals also used these techniques for monitoring and recording all information coming across a network. Following is the short explanation of the above technique.

Botnets

Botnets are largely undetected because it is a collection of software robots, or 'bots', that creates a group of infected computers known as “zombies” that are remotely controlled by the originator of the robots. You may be one of them and you may not even know it

Distributed denial-of-service (DDoS) 

A distributed denial-of-service attack or a DDoS attack is an attack when an infected user gets a network of zombie computers to sabotage a specific website or server. The attack occurs when the malicious user tells all the zombie computers to connect to a particular server or a website again and again. That increase the volume of traffic on that specific server or a website resulting overloading that slow the server and website for legitimate users, sometimes the website or server shuts down completely. By using a malicious user computer the attacker can take advantage of security vulnerabilities and weaknesses and could take control of your computer. The attacks are "distributed" because the attacker is using several computers to launch the denial-of-service attacks.

Hacking

Hacking is an expression used to explain actions taken by someone to gain unauthorized access to a computer. This is a process by which cybercriminals gain access to any computer connected to the internet.

Pharming

Pharming is a type of online fraud. It's meant to point the user to a malicious and illegitimate website by redirecting the legitimate URL. Even if the address is entered correctly, it can still be redirected to a fake website.

Phishing

Phishing is easy to execute and its required very little efforts therefore many cybercriminals use phishing. Criminals sent fake emails, text messages and created a website looking authentic. They use email, messages, and website to steal personal and financial information from users. This is also known as spoofing.

Ransomware

Ransomware restricts access to the users own computer and files. It is a type of malware that displays a message and demand payment to remove the restriction from computer and files. The email contains a malicious attachment and pop-up advertisement is the most common type of ransomware infection.

Spam

Spam is another common method of sending information out and collecting it from unsuspecting people. The spam distributes unsolicited messages, advertising or pornography to the addresses that are easily available on the Internet through like social sites, company websites and personal blogs.

Spoofing

This technique is often used in conjunction with phishing in an attempt to steal information.  Domain Name Service (DNS) translates an IP address into name and Domain name into IP address, such as www.networkustad.com, into its numerical IP address and vice versa. If a DNS server does not know the IP address of the required domain, it will request another DNS server. Using DNS spoofing, the cybercriminal introduces fake data into a DNS resolver’s cache. These attacks develop a weakness in the software of the DNS system that causes the DNS servers to forward traffic for a particular domain to the criminal’s computer, instead of the valid owner of the domain.

Man-in-the-Middle attack.

They also use irregular devices, for example, unsecured Wi-Fi devices and access points. If the criminal installs unsecured Wi-Fi near a public place, unsuspecting individuals may sign in to these devices and the packet sniffer copies their personal information.

Packets forgery or packet injection interferes with an established network communication by constructing packets become visible just they are the part of a communication. It allows a criminal to interrupt or catch real packets. With this process, a criminal can hijack an authorized connection or denies an authorized person able to use assured network services.  This is called a man-in-the-middle attack.

 

Common Threats to End Users

Innovators and visionaries are two types of experts in the cybersecurity. These experts build different cyber domains of the Internet. They have the capability to identify the power of data and bind it. They provide service for cybersecurity and build special organizations for these services. These organization also giving services to protect people from cyber attacks. These professionals must identify the threats and vulnerabilities because these are the main concern of cybersecurity professionals. There are two situations that are critical:

• When there is a threats possibility.


• When vulnerability makes a target at risk of an attack.

For example data in the unauthorized person can result in privacy loss for the owners and affect the credit of the owner and the career of the owner can be at risk. The Google, Facebook, school, hospital, financial and government agencies and e-commerce facing greatest risks for identity theft. The large organizations like Google have a resource to hire top cybersecurity professionals to protect their servers and data. Many organizations build databases containing personal information about the clients and peoples and they need cybersecurity professionals, so the demand for cybersecurity professional are increased nowadays. Cyber threats are unsafe for certain industries and the records they must maintain.

Types of Personal Records

The following are some examples of personal records that are come from few sources only.

Medical Records

Thieves can sell personal health information on the Internet black market. They can use personal medical credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.

The electronic health record (HER ) of patients includes physical health, mental health, and other personal information that may not be medically related. For example, the person goes to a checkup as a child because of major changes in the family. This will be somewhere in his medical history, so with medical history and personal information, the record may also include information about that person’s family. A number of laws shielding patient records.

Many medical devices use the cloud platform to enable wireless transfer, storage and display of clinical data like heart rates, blood pressures and blood sugars. These medical devices can produce, a huge amount of clinical data that can become part of a medical record.

Education Records

The Education records which include grades, test scores, attendance, courses taken, awards, degrees awarded, and disciplinary reports. With the education record, there may also include contact information, health and vaccination records, and special education records, including individualized education programs (IEPs).

Employment and Financial Records

Employment records also include personal information, salary, and insurance information. Financial records are very attractive data for cybercriminals. This record may include information about income, expenditures, and credit card data. Tax records could include paycheck stubs, credit card statements, credit rating and banking information. The cybercriminals can use their credit cards for purchasing or selling in the black-market.

Authentication Details

The information about access into online system is very valuable on the black-market. This the habit of a human using the same password for online accounts. So if someone manage to get hold of your Facebook password or email password then they will mainly to be able to login to any of your accounts.

Thwarting Cyber Criminals

Thwarting the cyber criminals is not an easy task. But, company, government, and organizations have started to get the parallel action to limit and discourage cyber criminals. The actions against cybercriminals are included:

• Creating early warning system sensors and alert system. The system is too much costly therefore it is impossible to monitor each network. The organizations only monitor high-value targets because these high-value targets are more chances to experience cyber attacks.


• Creating complete databases of identified system vulnerabilities and attack signatures. Organizations distribute these databases over the globe to assist and prepare for and keep away many common attacks.


• Establishing information security management standards for national and international organizations.


• Sharing of cyber intelligence information between the organization and nations. Government agencies and countries now work together to share critical information about serious attacks to prevent the similar attack in other places. Several countries have organized their cyber intelligence agencies to work together worldwide in warfare major cyber attacks.


• Making new laws to dispirit cyber attacks and data breaches. These laws have strict penalties to punish cyber criminals caught carrying out unlawful actions.

Following are the measures to thwart cybercriminals and a brief explanation of each.

Vulnerability Database

The National Common Vulnerabilities and Exposure (CVE) national database was developed to provide a publically available database of all known vulnerabilities. CVE is a list of entries each containing the identification number, description, and at least one public reference for publicly known cybersecurity vulnerabilities.

Early Warning System

Cyber early warning systems (CEWS) aim at alerting such attempts in their growing stages. Design and implementation of such systems involve numerous research challenges. The Honeynet Project is an international security research organization,  which investigate the latest attacks, developing open source security tools to improve Internet security and learning how hackers behave. It is in an example of an Early Warning System. The project provides a HoneyMap which display the real-time visualization of attacks.

Share Cyber Intelligence

Sharing of cyber information and intelligence to prevent hostile cyber attacks. The InfraGard is a partnership between the FBI and the private sector which is an example of the widespread sharing of cyber intelligence.

ISM Standards

The ISO/IEC 2700 standards are an example of information security management standards. It is also called ISO 2700 standards. The ISO/IEC 2700 standards help organizations keep information assets secure such as financial information, intellectual property, employee details or information entrusted to you by third parties. It is the best-known standard in the family providing requirements for an information security management system (ISMS).

New Laws

ISACA is a self-governing, nonprofit, global association that tracks laws related to cybersecurity. It is previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only. These laws address individual privacy for the protection of intellectual property. These laws include the Cybersecurity Act, the Data Breach Notification Act, Federal Exchange, and the Data Accountability and Trust Act.

Cyber Criminals

The typical cybercriminals in the cyber world in the early days were youngsters or hobbyists. Their attacks generally limited to pranks and vandalism. But at present, the cybercriminals become very dangerous. The attackers are individuals or groups. They try to make use of the vulnerabilities for there mission. These criminals are interested in the whole thing as of credit cards, product designs, and anything with some value. The type of cybercriminals are the following:

Amateurs

Amateurs are also called script kiddies. They have only some skills and want to be a hacker. They lack any serious technical expertise and usually use existing tools to initiate attacks. Some of these are just curious and others try to show their skills and cause damage. They are just using basic tools and usually be able to attack very weakly secured system, but the results can be very destructive.

Hackers

A term hacker is first used in the early days of the 1960s. It describes a programmer or somebody who can hack computer code. Usually work secretly and create tools for hacking. They often break into computers or networks to gain access for a variety of reasons. The goal of the break-in determines the categorization of these hackers as white, gray, or black hats. The figure below illustrates the type of hackers.

White Hat Hackers

These are ethical hackers and used their programming skills for good and legal process. They break into networks or computers with the permission of the owners to find weaknesses of these systems to improve security aspects. White hat hackers use their skills to discover network vulnerabilities and report to developers and owners for fixing these issues before the vulnerabilities can make damage.

Black Hat Hackers

The black hat attackers are individuals who take advantage of any vulnerability for illegal missions. Blackhat hackers are unethical hackers. These hackers compromise the network permission for their personal gain. They also attack a network for malicious.

Gray hat hackers

These hackers are between white and black hat attackers. The gray hat attackers may find the vulnerability and report it to the owners of the system to fix the problem and some gray hat hackers publish the facts about the vulnerability on the Internet so that other attackers can exploit it.

Organized Hackers

These are the organization of cybercriminals, which include hacktivists, terrorists and state-sponsored hackers. These criminals are generally groups of skilled criminals focused on control, power and wealth.

Hacktivists

The hacktivists working for making for political statements to create wakefulness to different issues to their rights. Hacktivists publish awkward information about their victims publicly.

State-sponsored

State-sponsored attackers collect intelligence or situate damage on behalf of their government. These attackers are very high and well trained. Their attacks focus on particular goals that are helpful to their government. These attackers are usually members of their countries armed forces.

VLANs Range and Creating VLANs

Different Cisco Catalyst switches support different numbers of VLANs. The number of supported VLANs is sufficient to accommodate the requirements of nearly all organizations. The Catalyst 2960 and 3560 Series switches support VLANs over 4,000. The Normal VLANs

range is numbered from 1 to 1,005 and extended-range VLANs are numbered from 1,006 to 4,094. The figure illustrates the normal range of VLANs on a Cisco switch. The Used of a normal range is used in small- and medium-sized business and enterprise networks.

Normal VLANs Range 

• The normal range VLAN ID is between 1 and 1005.


• IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.


• IDs 1, 1002, 1003, 1004 and 1005 are automatically created and cannot be removed.


• The VLAN configurations are stored in a VLAN database file, called vlan.dat. The vlan.dat file is saved in the flash memory of the switch.


• The VTP (VLAN Trunking Protocols) helps to manage VLAN configurations between switches. The VTP can only learn and store normal range VLANs.

Extended VLANs Range

• The extended VLANs range enables service providers to extend their infrastructure to a greater number of customers.


• The VLAN ID is between 1006 and 4094.


• The extended range configuration is stored by default in running configurations file instead of the vlan.dat file.


• Support fewer VLAN features than normal range of VLANs.


• VTP not working with extended range VLANs.

Creating VLANs

For normal range VLAN configuring, the configuration is stored vlan.dat file, which is stored in flash memory on the switch.  Flash memory does not require the copy running-config startup-config or Write command. But, other details are usually configured on a Cisco at the same time when VLANs are created; it is best to save running configuration changes to the startup configuration. The figure below illustrates the Cisco IOS command syntax used to add a VLAN to a Cisco switch and give it a name. Naming each VLAN is considered a best practice in switch configuration.





The figure below illustrates the topology where VLAN 10 and 20 are configured on Switch1. We can check using the Syntax Checker show vlan brief command in user exec mode to display the contents of the vlan.dat file.



We can use a series of VLAN IDs which can be entered separated by commas and we can also use a range of VLAN IDs separated by hyphens using the vlan vlan-id command. For example, use the following command to create VLANs 10, 20, 30, 40, and VLANs 50-60.

switch1(config)# vlan 10, 20, 30, 40

switch1(config)# vlan 50-60

Tagging Ethernet Frames for VLAN Identification

The Layer 2 devices use Ethernet frame header information to forward packets without having routing tables. Usually, Ethernet frame header does not contain any information about VLAN, so, when Ethernet frames arrive in a trunk, information about its VLAN must be added. This method called tagging. The standard for VLAN tagging is IEEE 802.1Q. The 802.1Q header includes a 32-bits tag inserted inside the original Ethernet frame header, specifying the VLAN to which the frame belongs. When the switch receives an Ethernet frame on a port in access mode and assigned a VLAN, the switch inserts a VLAN tag into the received frame header, calculates the FCS again, and sends out the tagged frame to the trunk port. The figure below illustrates different fields of VLAN tag:

• Type– Type field is 16 bits field also called the tag protocol ID (TPID) value. For Ethernet, it is set to hexadecimal 0x8100.


• User priority– It has a 3-bit value that supports service implementation.


• Canonical Format Identifier (CFI)– This is a 1-bit identifier that enables Token Ring frames to be carried across Ethernet links.


• VLAN ID (VID)– It is 12-bit VLAN identification number that supports up to 4096 VLAN IDs.

Native VLANs and 802.1Q Tagging

Tagged Frames on the Native VLAN

Some devices that support trunking, insert a VLAN tag to native VLAN traffic. If a port configured on 802.1Q trunk receive a tagged frame with VID and the same as the native VLAN, it drops the frame. So when configuring a switch port on Cisco switch, configure devices that they send untagged frames on the native VLAN. Other vendor devices, routers, non-Cisco switches, and servers support tagged frames on the native VLANs.

Untagged Frames on the Native VLAN

When a trunk port receives untagged frames, it forwards these untagged frames to the native VLAN. If there are no devices associated with the native VLAN and also there are no other trunk ports, then the switch dropped the frame. During configuring an 802.1Q trunk port, a default Port VLAN ID is assigned the value of the native VLAN ID. All untagged traffic coming in and out the 802.1Q port is forwarded based on the PVID. For example, if VLAN 10 is configured as a native VLAN. The PVID is 10 and every untagged frame is forwarded to VLAN 10. If the native has not been configured, the PVID value for native VLAN is 1. Because the default native VLAN is 1.

Voice VLAN Tagging

To Support Voice over IP a separate voice VLAN is required. Port that connects Cisco IP phone can be configured to use two separate VLANs. One for voice and another for data traffic. The link between IP phone and switch work like trunk to carry both voice and data VLAN traffic. The Cisco IP Phone has three-port 10/100 switch. These ports give dedicated connections to these devices:

1. Port-1 – This port connects the IP phone to the switch or other VoIP devices.


2. Port-2 – This port is an internal 10/100 interface that carries the IP phone traffic.


3. Port-3 - This is an access port which connects to a PC or other device.

On the switch, the switch port is configured to send CDP packets that instruct an attached IP phone to send voice traffic to the switch in one of the following ways, depending on the type of traffic:

1. In a voice VLAN tagging with a Layer 2 class of service priority value.


2. In; an access VLAN tagging with a Layer 2 class of service priority value.


3. In an access VLAN, untagged without a Layer 2 class of service priority value.

Controlling Broadcast Domains with VLANs

Network without VLANs

In the default configuration, when a switch receives a broadcast frame on the ingress ports of the switch it forwards the frame out all ports excluding the port where the broadcast frame was received. Because the whole network is configured in the same subnet and no VLANs are configured therefore all ports are working in the same broadcast domain. As shown in the figure; when the host 1 sends out a broadcast frame, switch S2 receives the broadcast frame and sends that broadcast frame out all of its ports except ingress port. Ultimately the whole network receives the broadcast for the reason that the network is one broadcast domain.

Network with VLANs

Figure 2 illustrates the segmented network with VLANs; the network has been segmented using two VLAN, VLAN 10 and VLAN 20. The IT department is assigned VLAN 10 and the admin department has assigned VLAN 20. When a broadcast is sent from the IT department computer; Host-1, Host-2, and Host-5  to switch S2; the switch forwards that broadcast frame only to those switch ports configured to support VLAN 10 and Trunk port. Same as when computer from admin department sent a broadcast frame; the switch forwards the frame to port that is configured for VLAN-20 and trunk port.


The ports that connect both switches S1 and S2 are trunks and have been configured to support all the VLANs in the network. When S1 and S2 receive the broadcast frame on a port from VLAN-10. The switch forwards that broadcast frame out of the only other port configured to support VLAN 10; which is trunk port. When VLANs are configured on a switch, the transmission of unicast; multicast, and broadcast traffic from a host in a particular VLAN is limited to the devices that are in that VLAN. The VLAN create multiple broadcast domains in the switch so the broadcast can be controlled with creating multiple broadcast domains.



 

Types of VLANs

There are different types of VLANs used in networking. Some VLAN is defined by classes of traffic and some other are defined by the specific function that they serve. Each switch has a default VLAN.

Default VLAN

VLAN-1 is the default VLAN in Cisco switches. After initial boot up process, the switch loads the default configuration and all switch ports became a part of the default VLAN (VLAN-1). The switch port that is the part of the default VLAN work in the same broadcast domain.  The figure below illustrates the default VLAN of a Cisco switch, the show VLAN brief command was executed on a switch running the default configuration. You can see that all ports are assigned to VLAN 1 by default. There is no difference between the features and function of VLAN1 and other VLAN; excluding that it cannot be renamed or deleted. By default, all Layer 2 control traffic is associated with VLAN 1.

Data VLAN

A data VLAN is also referred to as a user VLAN. It is used to separate the network into different groups of users or devices. Data VLAN is used to forward user-generated traffic. It is also separate voice and management traffic from data traffic.

Native VLAN

A native VLAN is assigned to an 802.1Q trunk port that was created for backward compatibility with old devices that don’t support VLANs just like a hub. Frames belonging to the native VLAN are not tagged when sent out on the trunk links so older devices can simply understand these frames. Frames received untagged on the trunk links are set to the native VLAN. The trunk is the links between switches that maintain the transmission of traffic connected with more than one VLAN. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic); with traffic that does not come from a VLAN. Tagged traffic is traffic that has a 4-byte tag inserted in the original Ethernet frame header; specifying the VLAN to which the frame belongs. The 802.1Q trunk port places untagged traffic on the native VLAN, which by default is VLAN 1.

Management VLAN

The separate VLAN for management like monitoring, system logging, SNMP, and other sensitive management jobs is best practice in networking. It also ensures that bandwidth for management will also be available even when user traffic is high. VLAN 1 is the management VLAN by default. To create the management VLAN, the switch virtual interface of that VLAN is assigned an IP address and subnet mask, which management remotely via HTTP, Telnet, SSH, or SNMP. Because the out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, VLAN 1 would be a bad choice for the management VLAN.

If your organization uses voice over IP (VoIP), a separate VLAN is needed. This will save bandwidth for other applications and ensure VoIP quality. The Voice Over  Internet Protocol (VoIP) traffic requires, assured bandwidth to ensure quality, transmission priority, ability to be routed around congested areas on the network and delay of less than 150ms across the network. To meet these requirements, the entire network has to be designed to support VoIP.