CISSP: Domain 4 - Communication and Network Security - Module 3


CISSP: Domain 4, Module 3

The course is part of this learning path

Prevent or mitigate network attacks

This course is the final module of Domain 4 of the CISSP, covering communication and network security.

Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • How to prevent or mitigate network attacks
  • Intrusion detection and prevention systems (IDS/IPS)
  • Network scanning
  • Network attack techniques

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Welcome back. This is a continuation of the Cloud Academy presentation of the CISSP Examination Preparation Review Seminar. We're gonna continue our discussion of Domain 4, Telecommunications Security. Now, on the slide outlining network attacks, we see a year-to-year comparison. And from year-to-year, the cyber criminals performing these attacks tend to vary their strategy based on several factors. These include better tools to hack with. The tools, of course, evolve as the platforms themselves evolve, and as the hackers themselves learn things, gain more experience, more confidence. There is, of course, the element of discovery of new vulnerabilities to exploit, and the fact that these get published by various organizations, starting with the vendor of the program itself.

There is the attenuating effect of the heightened preparedness among targets. Unfortunately, this particular attribute comes after the attacks have been performed and many times after they have succeeded, sometimes a great many times. Nonetheless, it does modify how the attackers are going to approach their targets in the future. And then amongst the hacking community members themselves, there are trends that indicate different approaches work better, and when that's discovered, the hackers tend to share these things with each other through their dark web presence.

Now, over the course of time, hacks of evolved as more systems get more sophisticated, as more systems come online and are exposed, more and more vulnerabilities get defined and published, and the attacks have evolved into a much more sophisticated level of penetration. And as they have evolved, so has security. But in this leap frog, the hackers and their attack methods tend to have the lead, if only temporarily. But the things that they control that we on the professional security side don't is their timing, their method, and their target. And we typically don't know those things until after they've made an attempt, sadly, sometimes, until after they've made an attempt that succeeded. So the race itself does continue between those of us who try to detect and stop these things and those who try to prosecute them and take advantage of what exists.

As a primary definition of our program, we practice defense in depth. Going back to ancient times, when a castle would be captured on the top of a hill, the army defending it and the army capturing it would each put up layers, rings of defensive measure to try to prevent anyone else from doing what they did, taking possession of the castle. Following that same philosophy in both the physical world and the logical world, we put in things in layers. That way we have, as you see in the picture, network, platform application, data, and then our response. Multiple layers of controls that are both proactive and reactive in their character, so that no one thing becomes the basis of our defense. It's a hard lesson that has been learned many, many times over the centuries that if you build on the basis of a fortress with one solid wall at the outer most edge of your property, when that wall gets breached, whoever is attacking you typically will have the run of the place after having gotten inside it. And learning that lesson, we use defense in depth as a multilayered approach to try to prevent that from happening.

So, here we have our CIA triad. Now, in the context of network attacks, what we're looking at is the countermeasures that we can put in place that will protect the confidentiality, integrity, and availability of the data that flows through the network; the lifeblood, you could say, of the enterprise. In the case of confidentiality, we always intend to protect the information from unauthorized or uncontrolled release, especially to an unauthorized party. In the case of integrity, we always want to make sure that the information is trustworthy. So, by preventing unauthorized or unwanted contamination or corruption, we're able to maintain and improve that level of trustworthiness. So the basic trust of this is only authorized actions by authorized users only. And then of course availability, the characteristic that is at the very heart of our network. And our program wants to prevent any disruption or loss of service and the associated productivity. We want to be sure that the data protected for its integrity and its confidentiality now is available to authorized users when and where they need it, but to authorized users only.

So, as we move into talking about the attacks, we're going to start with one that dates back many years. Here you see war dialing. Using an automated dialing system, originally called war dialer, the attacker dials an entire range of phone numbers in a particular area to identify any sort of system that has a modem that will respond. Now, this means, at any particular area, there may be as many as 10,000 numbers that the dialer could go through looking for that response. Some will be fax machines, but some may be computers that respond. And if the host to which the modem is attached that does respond has a weak or no password, the attacker could easily gain access to that network. Now, an example of this appeared in a very popular movie form 1983, War Games, where the character played by Matthew Broderick was dialing around, just looking for who he was going to connect to. He wanted a game site, and he certainly found one. He connected to the Whopper, and therein lies the plot of the movie.

Now, as an example of an early attack, a war dialer was both an intelligence-gathering tool, as well as a possible actual penetration tool. Gathering phone numbers that had a response to it, be it a fax or another computer, it would log those numbers, so that the attacker could exploit them later or explore them further. But as a war dialer, the idea of brute force type of an attacking method got crystallized in a very real way. At the time, this was very productive. And whether or not it was a fax machine or an actual computer at the other end, it found a lot of fodder that made it possible to further explore and find out just exactly how susceptible that particular subject population might well be. But let's move on. Let's come to something a little bit more current, a little bit more normal for this era.

Now, in session hijacking and spoofing, we have two basic types that people will explore. The non-blind hijacking or spoofing is called that because the attack takes place when the attacker, as the name indicates, is on the same subnet as the target and can see the sequence and acknowledgment of packets. The thread of this type of spoofing is session hijacking. An attacker could bypass any authentication measures taking place to build the connection. This is accomplished by corrupting the data stream in an established connection, and then breaking it off, and then re-establishing it based on the correct sequence and the acknowledgment numbers of the attacking machine.

Now, the second method, that is related but is crippled in a certain way, is blind hijacking or spoofing. And it's called this because the attacker cannot see the responses. Though the attacker can send the data and commands, he is basically guessing at the responses between the client and server. In cases where source routing is disabled, the session hijacker can also use blind hacking where he injects his malicious data into an intercepted communication in the TCP session. In such cases, as blind hijacking and spoofing, several packets are going to be sent to a target machine to sample the sequence numbers, and to eventually detect the correct sequence by the effects produced.

Now, many of the attack types taking place and taking advantage of the network are of the man-in-the-middle variety. This generally refers to any style of an attack involving endpoints and a potential for a man in the middle to insert themselves invisibly or a very low profile in between. These attacks normally focus on traffic interception or injection, but can include pre-attack reconnaissance or intelligence gathering. The attacker can thus, in this position, sniff or control the data flow between the two parties, and picking and choosing which actions they want to take, such as inserting forged packets, siphoning out data that they want for intelligence gathering, or siphoning out credentials as they might pass in the clear down a particular network pathway that they're sniffing.

We have tunneling past firewalls and other restrictions. Now, one of the things that we need to be very cautious of is inbound file transfers, because these can result in circumvention of policies if the filtering is not performed, as might be the case with an encrypted file that is transferred and passes unmolested through a firewall. Tunneling through or around firewalls should be prevented, since the encryption of the tunnel blocks filtering, and tunneling around them means that the firewall would not be able to do any work on that particular connection at all. One thing that is commonly ignored is split tunneling, but this should likewise be denied by policy. Antivirus scanning on the client should always be up to date and running in real time mode.

We should also have control over HTTP tunneling, so that we can always ensure that the most current encryption keys and functionality are present and being used properly by the employee, and that we enforce regular updates. There is a technology, that isn't particularly new but takes on a different form in current product offerings, called the screen scraper. Now, a program that performs this can extract data from an output on a display that is otherwise intended for human viewing. Used in a legitimate fashion, when older technologies were unavailable to interface with modern ones, it extracts information, either through snipping or through actual interpretation of pixel patterns. This is normally performed using a locally installed program. As such, it cannot be prevented through network controls, except when denying access to a display of sensitive information. But when we have tools like Send to OneNote, or Snip, as screen scraper functions, not to mention all of the commercially available programs that do this, this gets to be something that gets to be very difficult to control or prevent, except by policy.

We have, of course, our perennial hatred of spam. This is by far the most common way of suppressing protective measures. And by sending spam, the distributors of spam get to be very creative, constantly reconfiguring, constantly spoofing addresses so that the spam that they send out will pass through email filtering. Filtering this based on simple keywords is, of course, a first step, and it should be taken, but we need more sophisticated filters, which can be based on statistical analysis or email traffic patterns. Any time spam arrives in someone's inbox, it should immediately be blacklisted so that that particular spam will not be suffered again. But as always, people who have spam in their email should never click on embedded links, or open any attachments that come with it. That's just asking for trouble.

Now, we have things to do a lot of port scanning, such as Nmap. This is the act of probing for TCP services on a machine. You establish a connection with the machine that you wish to scan, and this is used for fingerprinting an operating system by evaluating its response techniques. Now, protection from port scanning will include restriction of network connections. If a connection isn't established, then other manners of finding out what the machine has, what it offers, what it talks to the world through, are going to have to be tried.

One form of network scanning is to scan for packets with flags set in certain ways. For example, the FIN, NULL, and Xmas scanning are very popular ways. The FIN scanning can bypass firewalls without any modification. Closed ports will reply to a FIN with the appropriate reset packet, whereas open ports ignore the packet on hand. This is due to the nature of TCP, and in some ways, an inescapable downfall. To fix this and keep it from doing this sort of thing, for example, may cause TCP not to function properly or in a trustworthy manner.

NULL scanning is a series of TCP packets that contain a sequence number of zero and no set flags. Now, in normal TCP/IP types of networks, this is very, very rare. Because the NULL scan does not contain any set flags, it can sometimes penetrate firewalls and edge routers that filter incoming packets with particular flag settings. The Xmas packet, and it derives its name from the fact that some, several, or all of the flags are set, is used as a method of TCP/IP stack fingerprinting, exposing the underlying nature of a TCP/IP stack by sending packets with these flags set, and then waiting and analyzing what responses are returned. Another form of a denial of service attack, it can possibly do that because so much more processing is necessary due to all of these settings.

There is, of course, the attack based on TCP sequence number guessing, and as you see in the graphic, we start with Host A connecting to Host B, sending a SYN with the sequence number of 1000. The SYN is returned from Host B, number 2000, corresponding to the original 1000, and accompanying it is its own ACK, 1001, to acknowledge the original SYN sent from Host A. Host A responds with a 2001 ACK which corresponds to the SYN sent to it from Host B. The ACK data is then shared between the two. Then we have the ACK at 2300 and a FIN signaling the closing of this session at 1500. The corresponding ACK from B back to A 1501, then the ACK with 1501 followed by a FIN at 2400, followed by an ACK at 2401 from Host A back to Host B, closing the session. And this number it is that the hackers try to guess by capturing packets so that they can falsely insert packets' forged sequence numbers.

Now, in the penetration attack process, there are phases that a hacker will go through. Now, a couple of thoughts occur about this particular process. It makes it obvious that a hacker must plan what they're going to do, and this, it is a process that we are going to follow when we do penetration testing as part of our assigned duties for our employers. But in this organized approach, we were able to first discover our targets, gather information about them, map the various forms of vulnerabilities and other weaknesses that we can exploit so that we can choose tools and methods, and then we can process the exploitation.

So in step one, called acquisition, we're doing discovery. We may be looking for a specific host or just any host on a particular network that we're testing for. This is, of course, our acquisition and reconnaissance activity. In step two, we're going to do analysis. This is called enumeration. In it, we're looking for the details and features that we'll then take and research to inform our process as we develop our attack approach. In step three, we take the information we gathered in step two, and we go through vulnerability mapping. And in this process step, we're going to validate the feasibility of the chosen methods and tools, so that we can isolate those that we wish to use that will have a greater opportunity for excess, that is, a greater chance for success, and eliminate those that have a reduced chance of success.

Once we've settled on our attack tools and methods, we then figure out our timing, our approach, and how we're going to do it through the actual exploitation where we're going to do our actual penetration and target acquisition. Now, as hackers are doing this, once they have succeeded, the very first step that they want to execute after arriving inside their target system is to disappear; fade into the woodwork, as it were. Because the very next thing that will happen is, if they reveal their presence, will be one of us will try to catch them and force them out and block them from returning. So, having found their way safely inside, they want to disappear so that they can then wreak the havoc that they wish to, or acquire the information that they wish to.

Now, as hackers make their attempts to penetrate our systems, one of the methods that we use to detect their attempts, or attempts at just preventing any sort of unwanted behavior or traffic, we employ the intrusion detection and prevention systems. These fall into two broad classifications. We have host-based, which is capable of monitoring all or parts of the dynamic behavior and the state of a computer system based on how it is configured. It might, for example, detect which program accesses what resources, and discover that, for example, a word processor has suddenly and inexplicably started modifying the system password database. Similarly, a HIDS, or host intrusion detection system, might look at the state of the system checking various locations within to verify the current state and see whether or not that is in the state that is expected.

We have a complimentary and oftentimes a second part of the very same system in the network-based IDS or IPS. Now, a network-based system is going to monitor traffic flows into and out of defined network areas. What it's looking for is to establish a pattern of the traffic that it reads and compare that to either storage signatures in its database or look for a pattern that doesn't fit any kind of a pattern that it has stored. And this is not looking for a signature, this is looking for behavior. So in the two forms, it's looking for either a match to a stored signature or it's looking for a pattern that reflects a certain kind of behavior that is unwanted or unknown, and eventually, it will either be branded as acceptable and whitelisted or unacceptable and branded as blacklisted. As the machine learns, it will eventually figure out how to distinguish between true positives and false positives, and eventually build up its catalog of unwanted things, so that false positives alerts will be reduced. And in both cases, the analyst needs to work extensively with this for a period of time, so that it can tune its learning, and the analyst can make it a much more effective system, and the longer it operates, the better its responses will be.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics