Posted Tuesday, December 5th, 2017

Network risk analysis

As part of a ‘System & Network Security’ module for university, I both attacked and defended systems from common threats

As part of a ‘System & Network Security’ module at University, I conducted several practical attacks within a virtual environment, and furthermore produced a risk analysis for a given scenario.

I gained experience with:

  • Threat Modelling / Risk Analysis
  • Cryptography (Symmetric / Public Key Exchange, Hashing, Signatures & Nonces)
  • Identification, Authentication, Authorisation Methodologies (Continuous & Multi-Factor)
  • Malicious Code Execution
  • Firewall Rules (IP Tables)
  • Web Security Protocols (CAs, SSL/TLS, IPSec)
  • Privacy (GDPR, K-Anonymity)

In practical sessions, using Kali Linux for learning purposes, I exploited malicious code execution attacks such as ‘buffer overflow’ (against TLS versions), XSS (cross-site-scripting) and SQL injection. Additionally, I explored the decryption of programs, DNS spoofing and phishing scams.

To assess the theoretical underpinnings of the module, using Microsoft’s FAIR model, I identified a potential STRIDE categorisation for a hypothetical vulnerability and attack.

An example of a risk analysis

In the practical sessions, the goal was always to uncover some information, and disrupt an element of the CIA (confidentiality-integrity-availability) triad. From the perspective of somebody defending against attack, I was taught to change a user’s behaviour by altering the opportunity and motivation behind being security-conscious. Resultantly, I'm now familiar with packet-filtering rules, and role/attribute-based access-control strategies, which have enlightened aspects of previous projects that contained such elements.

Some aspects were covered theoretically, which helped provide greater context to the current state of security in-industry. During analysis of threats, the event frequency was considered, along with its capability and loss magnitude. A control strategy of avoidance and mitigation was suggested. These were placed into a lifespan that always considered the real-world implications of an attack, which ranged from mundane ‘shoulder-surfing’ to man-in-the-middle attacks against insecure/inappropriate policies.

These activities were congruent with the module’s content. By exploring topics such as the need for security, cryptography, and privacy along with their human elements, I was introduced to the need for security in many components of a computer system, along with an understanding of their practical implementation.

In future, I am confident that I can be critical of the security of my own systems, in addition to designing something that is secured appropriately.