Part of every information technologist’s education involves the ISO/OSI “seven-layer” networking model. However, some more observant students have noticed something seemingly missing.
In 1983, the International Standards Organization (ISO) introduced a useful seven-layered model for networked computing called the Open Systems Interconnection (OSI) model.
Moving outward from the user, data is entered into the network through software running on the application layer. This application is running on a device-based operating system at the presentation layer, which is signed in through the session layer. Data is moved from that user to another destination by the transport layer, which uses the network layer to connect to that destination. This connects to the actual network via a network interface card at the data-link layer which, finally, connects to the actual cabling and wireless infrastructure at the physical layer.
Arriving at the other end, the data travels back up the seven layers to arrive at its intended destination. Each layer has its own protocols and other communication standards that govern its efficient operation.
Those more observant students often ask, “Where is the Security layer? Where does security fit in?”
The answer is “Yes.”
Security at every level
Many providers of data and network security products emphasize the importance of “multi-layer” security, but here is the reality; if security is not efficiently and effectively embedded into every layer of the ISO/OSI model, every step along the path data takes from origin to destination is vulnerable and ineffective.
Imagine a building with seven doors, each providing entry. If all seven doors are locked, the building can be considered secure. However, if one is left unlocked, the entire building is insecure. It really is just that simple. Unless every layer of the network is secured, penetration can occur. Data can be compromised. And compromised data creates an existential danger. According to Inc. magazine, 60% of businesses whose data is significantly compromised go out of business and don’t return.
Assuring optimal security at every level of the ISO/OSI model
The ISO also provided a corresponding security model for each layer of the OSI model that serves as a helpful guide and checklist when working to assure comprehensive data and network security across the board.
Notarization and signature at the physical layer
Today’s physical layer consists of wired and wireless infrastructure. Penetrating wired infrastructure usually requires accessing and physically wiring into cables. Earlier efforts to access electrical emanations from simple coaxial cable have been thwarted through the use of twisted-pair cabling which significantly limits the ability of invaders to compromise cables — especially fiberoptic ones.
Assurance and availability at the data-link layer
The data link is accomplished through the use of a network interface card (NIC) attached to the physical network cabling or wireless infrastructure. One of the jobs each NIC must perform is to find the NIC that it is sending data to. To accomplish this, each and every NIC has its own completely unique identifier called a media access control (MAC) address. The NIC at the point of origin uses the Address Resolutions Protocol (ARP) to find the destination NIC by converting an internet protocol (IP) address to the corresponding physical network address.
Confidentiality at the network layer
If the MAC address of the destination NIC isn’t found on the local network, the data is sent to a router at the network layer. The router understands IP addresses and makes decisions as to where to send the data based on a table that indicates which MAC addresses exist on other IP networks. Attackers have developed many ways of invading routers to intercept data and address information, giving them access to a wide variety of resources that they can then corrupt, copy, or otherwise damage. Most of these methods are far more effective on routers running older versions of their operating software. The best defense includes banning remote access tools such as telnet and assuring that software on all routers is always kept fully updated.
Data integrity at the transport layer
TCP/IP is the transport control protocol running over internet protocol. TCP was designed to get data from one place to another and assure that it is in good order when it gets there. This requires extensive error checking and data loss prevention. This leans heavily on a process called “handshaking” in which the origin and destination hosts confirm and reconfirm transmission and receipt.
While there are many ways in which an attacker can attempt to compromise TCP, there are just as many ways to prevent such attacks. The most well-known way is the implementation of a firewall to protect hosts inside the network from attacks outside the network. Anti-malware scanners are also implemented at this layer to recognize and prevent recognized viruses, worms, and other signatures from penetrating the network.
Non-repudiation at the session layer
The session layer is responsible for setting up and taking down the connection between hosts.
It is possible for an attacker to gain access during the initial acquisition of a session connection by “hijacking” the session. It is also possible for them to achieve a “man in the middle” connection in the middle of a session from which they can monitor and intercept the data flowing between the two hosts, or launch a directed denial of service (DDoS) attack in which huge volumes of requests are made which cause a host or an entire network to crash due to traffic overload.
Management that assures the creation, use, and updating of strong passwords, inhibits session layer invasion significantly. Multifactor authentication, which requires the use of a code provided to the user’s digital device, is also advised.
Access control at the presentation layer
The most important step in protecting the presentation layer is to make sure that all updates and patches are regularly applied. Nothing proves the dangers of a “set-it-and-forget-it” mentality like failure to patch and update operating systems and applications.
Authentication at the application layer
Applications are routinely attacked by viruses, trojans, worms, and other forms of malware. It is critical to keep all anti-malware software fully updated and all signature files current. Hackers are inventing new exploits at all times, so all application software must be kept updated and protected at all times.
Related Content: Mastering Erick Simpson’s MSP Masterclass
Secure the stack
It is important to remember that there is no such thing as perfect security, but exercising vigilance to provide the best possible protection at every layer is the best way to optimize security and data privacy. The tools used to do this are often referred to as a security stack. Think stack. Think end-to-end.
There are additional concerns beyond the stack. All too often damage is caused when a user with significant access rights leaves their computer logged into the network and signed into key applications, including financial applications. A thief gains access to the computer by breaking into the office physically. Nothing stands between them and the transfer of data, or dollars, through that open computer connection. People and physical plant vulnerabilities are among the most popular data and network exploits. A holistic approach to data and network security is the only proper approach.