7 Layers of Cybersecurity Threats in the ISO-OSI Model
When you think of networks as being structured in the seven layers of the ISO-OSI model, it makes sense that cybersecurity threats can happen at any layer. We can think of these layers as the “links” in our metaphorical chain. Moving outward from the user, data is entered into the network through software running on the Application layer. Through the Session, Transport, Network, and Data-Link layers and arriving at the other end, the Physical layer, the data travels back up the seven layers to arrive at its intended destination. Each layer has its own protocols and other communication standards that govern its efficient operation. So, you may be asking, where is the Security layer? Where does security fit in? The answer is “Yes.”
Imagine a building with seven doors providing entry. If all seven doors are locked, the building can be considered secure. If one is left unlocked, the entire building is insecure. It really is just that simple. Unless every layer of the network is secured, penetration can occur. Data can be compromised. And compromised data creates an existential danger. According to Inc. Magazine, 60% of businesses whose data is significantly compromised go out of business and don’t return.
Many providers of data and network security products emphasize the importance of “multi-layer” security, but here is the reality; if security is not efficiently and effectively embedded into every layer of the ISO-OSI model, every step along the path data takes from origin to destination, it is vulnerable and ineffective. Only as secure as its weakest link.
Where do Cybersecurity threats happen?
Cybersecurity threats exist at all OSI-ISO model layers beginning at Layer 7 – the Application Layer because that’s the place where users begin by interfacing to the network. For the purposes of creating the most comprehensive cybersecurity plan we must actually start BEFORE the Application Layer and address perhaps the biggest vulnerability in the entire network – the user. Users are human and far more subject to making costly errors than are computers and other digital devices which will perform the same function the same way every time.
The best example is found in one of the top malware attacks or threats in the cyber landscape – ransomware. Fraudsters send out a “phishing” email that looks very authentic, very much as if it actually comes from where it says it does. But somewhere in that email is a link for the user to click or an attachment for the user to open. The text provides powerful inducements to get the user to do so. Once they do their data is either encrypted, corrupted, or stolen. The only way to get it back is to pay a ransom, thus ransomware.
The attackers know the user is their best place to gain access.
Threats at each layer of the ISO-OSI model include:
Security software developer F5 tells us, “Examples of application layer attacks include distributed denial-of-service attacks (DDoS) attacks, HTTP floods, SQL injections, cross-site scripting, parameter tampering, and Slowloris attacks. To combat these and more, most organizations have an arsenal of application layer security protections, such as web application firewalls (WAFs), secure web gateway services, and others.” The team at SecurityIntelligence points out that, “The application layer is the hardest to defend. The vulnerabilities encountered here often rely on complex user input scenarios that are hard to define with an intrusion detection signature. This layer is also the most accessible and the most exposed to the outside world. For the application to function, it must be accessible over Port 80 (HTTP) or Port 443 (HTTPS).” Other possible exploits at the Application Layer include viruses, worms, phishing, key loggers, backdoors, program logic flaws, bugs, and trojan horses.
Your cybersecurity plan must include Application Monitoring which is the practice of monitoring software applications using a dedicated set of algorithms, technologies, and approaches to detect zero day and application layer (Layer 7 attacks). Once identified these attacks can be stopped and traced back to a specific source.
PRESENTATION LAYER THREATS
The most prevalent threats at this layer are malformed SSL requests. Knowing that inspecting SSL encryption packets is resource intensive, attackers use SSL to tunnel HTTP attacks to target the server.
Include in your mitigation plans options like offloading the SSL from the origin infrastructure and inspecting the application traffic for signs of attacks traffic or violations of policy at an applications delivery platform (ADP). A good ADP will also ensure that your traffic is then re-encrypted and forwarded back to the origin infrastructure.
SESSION LAYER THREAT
DDoS-attackers exploit a flaw in a Telnet server running on the switch, rendering Telnet services unavailable.
In the regular maintenance portion of your plan be sure to remind operators to check with your hardware provider to determine if there's a version update or patch to mitigate the vulnerability.
TRANSPORT LAYER THREATS
According to Network World, “Many businesses use Transport Layer Security (TLS) to secure all communications between their Web servers and browsers regardless of whether sensitive data is being transmitted. TLS is a cryptographic protocol that provides end-to-end communications security over networks and is widely used for internet communications and online transactions. It is an IETF standard intended to prevent eavesdropping, tampering and message forgery. Common applications that employ TLS include Web browsers, instant messaging, e-mail and voice over IP.”
NETWORK LAYER THREATS
Routers make decisions based on layer 3 information, so the most common network layer threats are generally router-related, including information gathering, sniffing, spoofing, and distributed denial of service (DDoS) attacks in which multiple hosts are enlisted to bombard a target router with requests to the point where it gets overloaded and cannot accept genuine requests.
The most effective protection is achieved by consistently observing best practices for router, firewall and switch configurations. At the router itself it is important to constantly assure that the router operating system is up to date on all security patches, packet filtering is kept enabled and any unused ports are blocked, unused services, and interfaces are disabled. Keep logging enabled and conduct regular auditing of any unusual activity that may occur.
It’s also advisable to place firewalls between your network and all untrusted networks. Always keep that firewall up to date with all issued security patches, enable packet filtering, and keep logging enabled so you can audit any anomalies.
Any switches on your network must also be kept updated with all security patches, with any unused interfaces or services disabled. Make certain that all switch traffic is encrypted.
DATA-LINK LAYER THREATS
Cisco explains that, “The data link layer provides reliable transit of data across a physical link. The data link layer is concerned with physical, as opposed to logical addressing, network topology, network access, error notification, ordered delivery of frames, and flow control. Frame-level exploits and vulnerabilities include sniffing, spoofing, broadcast storms, and insecure or absent virtual LANs (VLANs, or lack of VLANs). Network interface cards (NICs) that are misconfigured or malfunctioning can cause serious problems on a network segment or the entire network.”
Most companies that have experienced Address Resolution Protocol (ARP) spoofing, Media Access Control (MAC) flooding or cloning, Port Stealing, Dynamic Host Configuration Protocol (DHCP) Attacks, layer 2-based broadcasting or Denial of Service Attacks have immediately focused on improving port security. They also configure their switches to limit the ports that can respond to DHCP requests, implement static ARP and install Intrusion Detection Systems (IDS).
PHYSICAL LAYER THREATS
Ask any cybersecurity professional to define where the network is and they’ll point at “the wires in the walls.” What they’re saying is that the copper and fiber-optic cables that connect everything together create the actual network that everything else uses. Most threats at this layer involve interruption of the electrical signals that travel between network nodes including the physical cutting of cables, natural disasters that bring flood waters which can cause short-circuits, or other human vandalism.
Many companies mitigate these failures by bringing in multiple circuits to the internet. It should be noted that this works well until a backhoe digs up a critical corner through which all carrier circuits run, thus disabling all of the multiple paths. The aftermath of many disasters illustrates the superior strategy being the placement of all network core elements such as servers and storage at multiple redundant cloud data centers. Should a major carrier cable be cut, only users will be affected, and they can switch to wireless access or other locations until repairs are completed.
Prevent Cybersecurity Threats Before they Become a Problem
Since users are our most unpredictable network component it is critical that your cybersecurity plan address best practices and operating requirements on your network, but the plan is equally important to the digital devices that help create the comprehensive defense we’ve been discussing. The purpose of a firewall, for example, is to enforce your security policies and rules. That’s not possible if you have no security policies and rules.
Consider bringing cybersecurity end user safety training to your organization. This 2 hour, life, instructor-led course teaches end users how to be safe and spot digital threats online. For cybersecurity professionals, you should consider cybersecurity training certifications from Certified Ethical Hacker (CEH) to Certified Chief Information Security Officer (CCISO).
In the case of cybersecurity, a failure to plan is a short-term strategy. Fitting security in at every layer is just one piece of a comprehensive cybersecurity plan. Attacks will happen, and they will disrupt and disable operations, which is ultimately an existential hazard. Schedule a free cybersecurity consultation with a New Horizons cybersecurity expert now to review your plan.