Using the OSI Model to Understand Cybersecurity Threats, Part Two
Cyber Risks & Threats | May 02, 2023
In our previous post, we covered the first three layers of the OSI model–the physical, data link, and network layers and discussed the vulnerabilities and best practices for securing each layer. Now, in part two of our series, we’ll explore the remaining four layers: the transport, session, presentation, and application layers. Let’s dive in!
OSI Layer 4: The Transport Layer
From the network layer, we arrive next at the fourth layer of the OSI model: The Transport Layer. The transport layer’s job is to ensure that there is reliable and efficient data delivery and communication between applications on different hosts while also providing error-checking and flow-control mechanisms for that communication. Transport layer protocols like TCP (transmission control protocol) and UDP (User Datagram Protocol) break down data from the session layer into smaller packets for transmission and ensures that they are delivered error-free and in the correct order.
In a sense, the transport layer is like a post office that receives large shipments ( data from the session layer) and separates them into smaller packets for delivery. It ensures that these packets are delivered accurately and in the right order and regulates the flow of deliveries so that the post office–i.e., your network–doesn’t get too congested and handle the traffic.
Layer 4 Attacks
The transport layer is not frequently an outright target for attackers, but it can be targeted by certain DDoS techniques, notably smurf attacks and SYN floods. In a smurf attack, attackers flood a targeted network with a large volume of ICMP (Internet Control Message Protocol) echo requests, which are diagnostic messages sent from one computer to another to test whether it is reachable and responding.
These requests carry the spoofed IP address of the target network and are sent by malware to a third-party network’s IP broadcast address, which then responds to them, flooding the target network with requests. When thousands of these requests are sent simultaneously, it can create a virtually infinite feedback loop of requests, and as a result, the target network can be overwhelmed and may not be able to process legitimate traffic.
In an SYN flood attack, the attacker exploits a vulnerability in the TCP protocol by sending a large volume of SYN packets to a target system, each of which establishes a half-open connection to a node, which then responds with an attempt to establish a connection. But the client never responds, instead leaving the target with high volumes of “connections” that remain in the half-open state until they time out. With sufficient volume, an SYN flood attack can easily tie up server resources and prevent legitimate traffic from accessing the server.
Reconnaissance and Information Gathering at Layer 4
Direct attacks on the transport layer may be uncommon, but that doesn’t mean it’s ignored by attackers altogether. By examining the responses received from different types of probes or scans, attackers can make valuable use of the transport layer to perform reconnaissance on the rest of your network. For example, sending SYN packets to various ports on a target system and monitoring the responses can let an attacker know which ports are open or closed, which services are running, and what operating system the target is running. Packet sniffing may also be used to capture and analyze layer 4 network traffic.
Securing the Transport Layer
In order to prevent attacks like the smurf attack and SYN flood, or simply prevent attackers from scouting your network, it’s important to limit access to the transport layer as much as possible. The best practice to achieve this is to use a combination of encryption and access controls.
Encryption protocols such as SSL/TLS can protect data in transit from eavesdropping and interception, while access controls like firewalls and network segmentation can help limit access to sensitive resources and prevent unauthorized users or devices from gaining access to the network. Monitoring network traffic for unusual behavior–like an increase in packet rates or anomalous traffic patterns–can also help detect and prevent malicious activity targeting the transport layer. It is also important to keep software and hardware up to date with the latest security patches and firmware updates to ensure that known vulnerabilities are addressed.
OSI Layer 5: The Session Layer
The session layer is the fifth layer of the OSI model and is responsible for managing (setting up and taking down) communication connections between two endpoints on different network hosts. Like a switchboard operator connects and manages calls between different parties, the session layer manages and establishes communication between different applications or processes running on different devices in a network. For example, when a user visits a website, it is the session layer that creates a session between the user’s computer and the web server and allows for the exchange of data between the computer and the web server, including the web pages and other files that you request. The session layer manages this exchange of data, ensuring that it is properly organized, error-free, and secure. Once the session is complete, the session layer terminates the session and closes the connection between the computer and the web server.
Session Hijacking Attacks
Now that we understand how the session layer operates, let’s look at session hijacking attacks, the preeminent security threat on the session layer.
Session hijacking attacks occur when an attacker gains unauthorized access to a legitimate user’s session on a network by gaining access to a user’s session ID (an identifier that lets users stay logged in to an application or website) and using it to impersonate the user and gain access to their account.
This can be achieved by intercepting the user’s traffic to steal the session ID (known as a man-in-the-middle (MITM) attack) or by tricking the user into using a specific session ID that the attacker has picked in advance (a session fixation attack). The latter can be attempted via phishing emails that contain links with predetermined session IDs in the URLs or via malicious scripts that victims download and execute.
Preventing Session Layer Attacks
To prevent session hijacking and other session layer attacks, it’s important to use secure session management techniques. First and foremost, all communications between the client and server should be encrypted–especially where sensitive data like passwords, credit card numbers, or personally identifiable information is concerned.. Using SSL/TLS encryption is the industry standard to prevent attackers from intercepting session traffic and stealing sensitive information. It is likewise important to use strong and unpredictable session IDs. The longer and more complex the session ID, the more difficult it is for attackers to guess or brute-force the value. Session timeouts should also be set to automatically log out inactive users after a certain period of time, thus preventing attackers from hijacking inactive sessions.
Finally, implementing multi-factor authentication can add an extra layer of security to user logins and help prevent attackers from gaining access to user accounts, even if they have stolen session IDs or login credentials. By following these best practices, organizations can significantly improve the security of their session layer and protect against various types of attacks.
OSI Layer 6: The Presentation Layer
The sixth layer of the OSI model, the Presentation Layer, is responsible for ensuring that data from the seventh layer (the application layer) can be understood by disparate systems and easily transmitted over a network. At the presentation layer, data is encoded and formatted into a standardized format, such as ASCII or Unicode, that can be easily interpreted by different systems, as well as the compression, encryption, and de-encryption of that data. You can think of the presentation layer as a translator or interpreter. Just as a translator takes a message in one language and converts it into a form that someone speaking another language can understand, the presentation layer takes data from the application layer and translates it into a form that can be understood by the network layer.
Threats at the Presentation Layer
When it comes to secure communication over the web, encryption happens at the presentation layer, which is why it’s important to get it right. Unfortunately, attackers can target encryption flaws at the presentation layer using various techniques, such as SSL hijacking or sniffing. In these attacks, the attacker intercepts traffic between the client and server, allowing them to access sensitive data transmitted over HTTPS.
Other potential threats include injection attacks, in which an attacker injects code that is then executed by the receiving system; cross-site scripting (XSS) attacks, which inject malicious scripts into a web page; and format string attacks, which exploit vulnerabilities in the way that certain programming languages handle format strings, and buffer overflow attacks exploit vulnerabilities in programs that do not properly validate input, allowing an attacker to inject more data than the program can handle, potentially allowing the attacker to execute arbitrary code or crash the system.
Securing the Presentation Layer
One of the most important ways to protect your presentation layer is to use secure coding practices to ensure that all data transmitted through the presentation layer is properly sanitized and validated to prevent malicious code injection. Additionally, using encryption protocols like SSL/TLS can help protect against man-in-the-middle attacks and other forms of interception. Another important step is to restrict access to sensitive resources and ensure that only authorized users have access to the presentation layer.
OSI Layer 7: The Application Layer
The application layer is seventh and topmost layer of the OSI model, and is the layer closest to the end-user, where applications and services interact with the underlying network. It serves as an interface between the user and the network, allowing users to access network resources and services such as email, file sharing, and remote login.
To facilitate this, the application layer includes a variety of protocols that enable different types of applications to communicate with each other, including HTTP, FTP, SMTP, and Telnet. It also provides services such as authentication, data transformation, and data representation to ensure that applications can communicate effectively across different platforms and operating systems.
How Attackers Target the Application Layer
As the layer where most user interactions with software occur, the application layer makes a valuable target for attackers. The aforementioned techniques like data injection and cross-site scripting are common ways of exploiting applications, but attackers also leverage that most notoriously insecure of all network components: the end user.
Take Cross-site request forgery (CSRF) attacks for example: In a CSRF attack, an attacker tricks a victim into unknowingly performing an action on a website that the victim is currently authenticated with. This can allow an attacker to perform unauthorized actions, such as transferring funds or changing a password.
Protecting the Application Layer
When it comes to protecting the application layer, there are a few key things to keep in mind. First, always make sure your software is up-to-date and patched with the latest security fixes. Outdated software can contain vulnerabilities that attackers can exploit to gain access to your system.
Next, be wary of phishing and other social engineering attacks that can trick users into giving away sensitive information or downloading malicious software. These attacks often exploit human error rather than technical vulnerabilities, so training employees on how to identify and avoid these scams is crucial.
Another important practice is to use strong authentication and access controls to limit who can access your applications and data. This can include things like multi-factor authentication, password policies, and role-based access control.
Client-side security is also an important aspect of protecting the application layer. One common threat is cross-site scripting (XSS), where attackers inject malicious code into a legitimate website that is then executed by unsuspecting visitors. To prevent this, developers can implement input validation and sanitization techniques, which help prevent users from entering malicious input into fields that could be used to execute code. Content Security Policy (CSP) headers can also be used to restrict which resources a browser can load, and prevent the execution of inline scripts. Other techniques such as using secure cookies and ensuring that HTTPS is used throughout the application can also help improve client-side security. Regular security assessments and penetration testing can also help identify vulnerabilities in the application layer and prevent successful attacks.