To effectively protect an organization, comprehensive cybersecurity solutions are required. Solutions that can exist in a security ecosystem, building layers of protection, addressing every layer of the OSI Model. Security experts need to understand that any layer of the OSI model could potentially be vulnerable to attack.
What Exactly is the ISO Model?
As a conceptual model for networking between various computer systems, the international organization for standards introduced the OSI (Open Systems Interconnect) model.
The layout of the OSI Model has normally presented in a way that the layer closest to the user is first, at the top.
Layer 7: Application Layer
The application layer represents an application at the start/end node, used to initiate/receive network communication by utilizing network services.
Cyber security specialists all agree that this layer is the most vulnerable, with attacks ranging from XSS attacks to DDOS and injection of SQL code into browsers.
Layer 6: Presentation Layer
Before information can be sent anywhere it needs to be reformatted to a standard format that a recipient can understand.
Because data encryption takes place on the presentation layer, attacks exploiting this layer would consist of SSL violations.
Layer 5: Session Layer
On this layer communication with the remote endpoint is programmatically established, over a specific port, through a handshake. (ACK)
By opening up unsanctioned connections to networks through remote connection protocols, like Telnet, threat actors can exploit OSI layer five.
Layer 4: Transport Layer
Layer four is responsible for the preparation of data for sending. Data is divided for it to place into special packets. (TCP, UDP)
Message forgery and packet tampering could exist on this layer. The TLS standard effectively addresses this vulnerability.
Layer 3: Network Layer
The network layer is responsible for routing packets to their destination by analyzing the information placed into the header of each packet, and sending it to its intended recipient. (TCP/IP, ARP)
Since network routers reside on this layer, it should come as no surprise that the most common vulnerability on this layer is router violation to initiate a DDOS attack.
Layer 2: Datalink Layer
While its internal mechanism is complex, this layer has a simple outcome where MAC addresses are derived from Layer three. At the same time, it can diagnose, and often correct errors received from the physical layer.
The most common cyber vulnerability on this layer is MAC address spoofing. This allows the threat actor to seem like a trusted member of the network allowing the threat actor to perform a man-in-the-middle attack.
Layer 1: Physical Layer
Any physical media resides on this layer. Devices such as hubs along Wi-Fi access points and ethernet cable. The physical raw electric or radio signals.
The security on this layer is neglected most of the time by security professionals. Threat actors could easily register a malicious device as a sanctioned device and wreak havoc should this layer not be monitored.
How do Threat Actors Use This to Their Advantage?
Threat actors are opportunists and will search for vulnerabilities in every layer of the OSI model. For cyber security to be comprehensive, it needs to be overlapping, addressing each ISO layer. What security teams need to understand is that threat actors don’t need to be actively attacking the organization to gain access. In recent years, more employees are becoming targets of social engineering.
When employees don’t apply organizational security policies, they create vulnerabilities where none should have existed in the first place. This is called Insider Risk and needs to be addressed by cultivating a cyber security culture among all employees.
A common dimension of Cyber Security is attack surface visibility. Organizations need to have a clear picture of exactly where the edge of their cyber attack surface is. This allows security teams to address vulnerabilities that might exist across the entire OSI model.
This is a tremendously complex feat for a team of humans, especially after hours when people have left the building. To address this need organizations are encouraged to implement specialist monitoring software. These tools typically can flag suspicious network activity and act autonomously to address the risk. Security teams are alerted to the vulnerability and can institute remedial and preventative measures.