5.1 Key Security Concepts
Key Takeaways
- The CIA triad (Confidentiality, Integrity, Availability) is the foundation of information security.
- A vulnerability is a weakness; a threat is a potential danger; an exploit is an attack that takes advantage of a vulnerability.
- Common attack types include phishing, DDoS, man-in-the-middle, malware, and social engineering.
- Defense-in-depth uses multiple layers of security controls rather than relying on a single measure.
- Zero-trust security assumes no user or device should be trusted by default, even inside the network.
Key Security Concepts
Network security is a critical domain on the CCNA exam. Understanding threats, vulnerabilities, and mitigation strategies is essential for any network professional.
The CIA Triad
The CIA triad is the foundation of information security:
| Principle | Definition | Example |
|---|---|---|
| Confidentiality | Only authorized users can access data | Encryption, access controls, VPNs |
| Integrity | Data has not been altered in transit or storage | Hashing (MD5, SHA), digital signatures |
| Availability | Systems and data are accessible when needed | Redundancy, backups, DDoS protection |
Threats, Vulnerabilities, and Exploits
| Term | Definition | Example |
|---|---|---|
| Vulnerability | A weakness in a system that can be exploited | Unpatched software, weak password |
| Threat | A potential danger that could exploit a vulnerability | Hackers, malware, insider threats |
| Exploit | An actual attack that takes advantage of a vulnerability | SQL injection against unpatched database |
| Risk | Probability of a threat exploiting a vulnerability × impact | Risk = Threat × Vulnerability × Impact |
Common Network Attack Types
Reconnaissance Attacks
Gathering information about the target before attacking:
- Port scanning (nmap) — discovering open ports and services
- Packet sniffing — capturing network traffic
- Social engineering — tricking humans into revealing information
- DNS queries — discovering network infrastructure
- Ping sweeps — finding live hosts
Access Attacks
Gaining unauthorized access to systems or data:
- Password attacks — brute force, dictionary attacks, credential stuffing
- Phishing — fraudulent emails that trick users into revealing credentials
- Man-in-the-Middle (MITM) — intercepting communication between two parties
- IP spoofing — forging the source IP address
- Session hijacking — taking over an authenticated session
- Buffer overflow — exploiting memory allocation vulnerabilities
Denial of Service (DoS/DDoS) Attacks
Making systems unavailable to legitimate users:
- DoS — single source floods a target with traffic
- DDoS — multiple compromised systems (botnet) flood a target
- SYN flood — sending many TCP SYN packets without completing the handshake
- ICMP flood (smurf attack) — flooding with ping requests
Malware Types
| Type | Behavior |
|---|---|
| Virus | Attaches to files, requires user action to spread |
| Worm | Self-replicating, spreads without user action |
| Trojan | Disguised as legitimate software, provides backdoor access |
| Ransomware | Encrypts data, demands payment for decryption |
| Spyware | Secretly monitors user activity |
| Rootkit | Hides deep in the OS, difficult to detect |
Layer 2 Attacks
| Attack | How It Works | Mitigation |
|---|---|---|
| MAC flooding | Overwhelms MAC table, switch floods all traffic | Port security |
| ARP spoofing | Sends fake ARP replies to redirect traffic | Dynamic ARP Inspection (DAI) |
| DHCP starvation | Exhausts DHCP pool with fake requests | DHCP snooping |
| DHCP spoofing | Rogue DHCP server gives clients attacker's IP as gateway | DHCP snooping |
| VLAN hopping | Attacker gains access to other VLANs via double tagging | Don't use VLAN 1 as native, disable DTP |
| CDP exploitation | Gathering device info via CDP | Disable CDP on non-management ports |
Security Program Elements
A comprehensive security program includes:
- User awareness training — teaching employees to recognize threats (phishing, social engineering)
- Physical access control — locks, badges, biometrics, security cameras
- Acceptable use policies — rules for network and internet usage
- Incident response plan — procedures for handling security breaches
- Disaster recovery/business continuity — maintaining operations during and after incidents
- Regular security audits — periodic assessment of security posture
Defense-in-Depth
Defense-in-depth uses multiple layers of security so that if one layer fails, others still protect the network:
- Physical — locks, cameras, secure facilities
- Network — firewalls, IPS, segmentation
- Host — antivirus, host-based firewall, patching
- Application — input validation, secure coding, WAF
- Data — encryption, DLP, access controls
- Administrative — policies, training, background checks
On the Exam: Understand the CIA triad and be able to classify attacks. Know that a vulnerability is a weakness, a threat is a potential danger, and an exploit is an actual attack. Questions may present a scenario and ask you to identify the attack type or the appropriate mitigation.
Which element of the CIA triad ensures that data has not been altered during transmission?
Which Layer 2 attack involves sending fake ARP replies to redirect traffic through the attacker?
What type of attack floods a network with traffic from multiple compromised systems to make services unavailable?
Which Layer 2 attack involves an attacker generating thousands of fake MAC addresses to overflow the switch MAC address table?