Cybersecurity in the OSI Model

The OSI (Open Systems Interconnection) model is a fundamental tool used to understand and design network systems. Its layered architecture enables detailed analysis and security of each level of network communication.

The purpose of this article is to discuss in detail the threats associated with individual layers of the OSI model and present effective defense methods. It is directed at managers, CEOs, IT department heads (CIO), IT department employees, security department employees, CISO, and Compliance and data governance departments.

Chapter 1: Application Layer

Functions and Protocols

The Application Layer is the highest level of the OSI model and directly interfaces with the end user. Its main function is to provide an interface for applications and manage various network services, such as web browsing, sending and receiving emails, and file transfer. The most commonly used protocols at this layer include HTTP (Hypertext Transfer Protocol), SMTP (Simple Mail Transfer Protocol), and DNS (Domain Name System).

Attack Vectors and Threats

• Malware injection: Injecting malicious software into applications to gain control or steal data. These attacks can lead to significant financial and reputational losses.

• Phishing attacks: Scams aimed at extracting confidential information, such as passwords and credit card data, by impersonating trusted sources.

• App-level DDoS attacks: DDoS (Distributed Denial of Service) attacks at the application level involve flooding the application with a large amount of fake requests, leading to its overload and preventing normal functioning.

Examples of Real Attacks and Defense Measures

An example of an attack on the Application Layer could be the 2017 incident when Equifax, one of the largest credit agencies, fell victim to a massive data breach. Attackers exploited a vulnerability in the web application, leading to the theft of personal data from over 147 million people.

Defense measures:

• Regular software updates and security patches.

• Implementation of solid authentication and authorization mechanisms.

• Employee education on recognizing phishing attempts.

📚 Read the complete guide: Cyberbezpieczeństwo: Kompletny przewodnik po cyberbezpieczeństwie dla zarządów i menedżerów

Chapter 2: Presentation Layer

Functions and Protocols

The Presentation Layer is responsible for transforming data into a form understandable by applications. Its tasks include data encryption and decryption, compression and decompression, and data format conversion. Protocols used at this layer include SSL/TLS (Secure Sockets Layer / Transport Layer Security) and various data encoding formats.

Attack Vectors and Threats

• Attack on weak encryption: Attacks involving the exploitation of weak encryption algorithms that can be easily broken by cybercriminals.

• File format exploits: Exploiting file formatting vulnerabilities to execute malicious code when a file is opened by an application.

• Malicious code injection: Injecting malicious code into data processing processes, leading to system control takeover.

Examples of Real Attacks and Defense Measures

In 2014, the attack on Sony Pictures caused a huge crisis, as attackers used malicious code in video file format to gain access to the company’s internal systems.

Defense measures:

• Implementation of strong encryption algorithms and regular key updates.

• Using advanced tools to detect and prevent attacks on file formats.

• Regular security testing of applications to detect potential vulnerabilities.

Chapter 3: Session Layer

Functions and Protocols

The Session Layer manages communication sessions between applications. It is responsible for establishing, maintaining, and terminating connections, as well as session state management. Typical protocols include RPC (Remote Procedure Call) and protocols used in video conferencing.

Attack Vectors and Threats

• Session hijacking & replay: Taking over an active user session to gain unauthorized system access.

• Session fixation attack: The attacker forces the user to accept a known session identifier, allowing them to take over the session after authorization.

• Cross-site request forgery (CSRF): Attacks involving forcing an authenticated user to perform unauthorized actions on another service.

Examples of Real Attacks and Defense Measures

An example of a session attack is the eBay case, where attackers took over user sessions, allowing them to make unauthorized transactions.

Defense measures:

• Using high-complexity session tokens with short lifetimes.

• Implementing CSRF protection mechanisms, such as synchronization tokens.

• Monitoring and immediate termination of suspicious sessions.

Chapter 4: Transport Layer

Functions and Protocols

The Transport Layer provides secure and reliable data transmission between hosts. It handles error correction, data flow management, and congestion control. The most important protocols include TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

Attack Vectors and Threats

• TCP/SYN & UDP Flood attack: Attacks involving flooding the server with a large number of packets, leading to its overload and service unavailability.

• TCP hijacking & MiTM attack: Taking over a TCP session to inject malicious traffic between communicating hosts.

• Port scan for vulnerability: Scanning ports to identify open ports and potential security vulnerabilities.

Examples of Real Attacks and Defense Measures

In 2016, the DDoS attack on Dyn, a DNS service provider, used the UDP Flood technique, which led to disruptions in the operation of many popular internet services.

Defense measures:

• Implementing packet filters and firewalls to block traffic from DDoS attacks.

• Using advanced intrusion detection systems (IDS) to monitor and analyze network traffic.

• Regular network and port scanning to identify and close unused ports.

Chapter 5: Network Layer

Functions and Protocols

The Network Layer is responsible for transmitting data packets between different networks. It manages routing, IP addressing, and packet fragmentation. Key protocols include IPv4, IPv6, and ICMP (Internet Control Message Protocol).

Attack Vectors and Threats

• IP spoofing & fragmentation: Falsifying IP addresses to bypass security mechanisms and attacks exploiting packet fragmentation.

• Ping of death & ICMP flood: Sending large ICMP packets that cause system overload and crashes.

• Route poisoning attacks: Manipulating routing tables to redirect network traffic through unauthorized nodes.

Examples of Real Attacks and Defense Measures

In 2013, the “Operation Snowman” campaign conducted IP spoofing and packet fragmentation attacks to bypass firewalls and gain access to companies’ internal networks.

Defense measures:

• Configuring routers to reject packets with suspicious IP addresses.

• Implementing ICMP attack protection mechanisms, such as rate limiting.

• Regular monitoring and updating of routing tables and network configuration.

Chapter 6: Data Link Layer

Functions and Protocols

The Data Link Layer manages data transmission between directly connected network devices. It is responsible for physical addressing, medium access control, and error detection. Typical protocols include Ethernet, Wi-Fi, and protocols used in VLAN networks.

Attack Vectors and Threats

• ARP spoofing & poisoning: Manipulating ARP tables to intercept network traffic.

• STP attack & MAC spoofing: Attacks on the spanning tree protocol and falsifying MAC addresses to gain unauthorized network access.

• Wireless vulnerabilities attack: Exploiting vulnerabilities in wireless network security, such as WEP, WPA.

Examples of Real Attacks and Defense Measures

ARP spoofing attacks were commonly used in “Man-in-the-Middle” campaigns, where attackers manipulated ARP tables to intercept user data in public networks.

Defense measures:

• Implementing dynamic ARP tables with anomaly detection mechanisms.

• Using strong encryption protocols in wireless networks, such as WPA3.

• Regular updates and testing of wireless network security.

Chapter 7: Physical Layer

Functions and Protocols

The Physical Layer covers all physical aspects of data transmission, including cabling, electrical and optical signals, and physical configuration of network devices. It is responsible for direct bit transmission between devices.

Attack Vectors and Threats

• Wiretapping & tampering: Physically intercepting and manipulating data transmission signals.

• Signal jamming: Disrupting wireless signals to interrupt communication.

• Unauthorized device install: Installing unauthorized network devices to intercept data.

Examples of Real Attacks and Defense Measures

An example of an attack on the Physical Layer is a case where in 2010 a research team conducted a successful network attack by physically intercepting Ethernet cables, which enabled them to gain access to a company’s internal systems.

Defense measures:

• Using physical security measures, such as locks, monitoring, and access control to network infrastructure.

• Implementing technologies for detecting wireless signal interference.

• Regular audits of physical network infrastructure to detect unauthorized devices.

Conclusions

Summary of Key Threats

Each layer of the OSI model carries unique threats and attack vectors that can seriously affect network system security. It is crucial that organizations are aware of these threats and apply appropriate protection measures at each level.

Recommendations and Best Practices

• Regular updates and monitoring: Maintaining up-to-date software and real-time network monitoring to detect and respond to security incidents.

• Training and awareness: Educating employees about cyber threats and security best practices to increase awareness and ability to recognize potential attacks.

• Layered security approach: Implementing multi-layered security strategies that consider unique threats at each level of the OSI model.

Applying these recommendations will help organizations effectively protect their systems and data from a wide range of cyber threats.

Related Terms

Learn key terms related to this article in our cybersecurity glossary:

• Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
• Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
• NIST Cybersecurity Framework — NIST Cybersecurity Framework (NIST CSF) is a set of standards and best…
• Wireless Networks — Wireless networks are communication systems that enable data transmission…
• IT Security Architecture — IT security architecture is a structural approach to designing, implementing,…

---

Learn More

Explore related articles in our knowledge base:

• 5G network security: What new risks and opportunities does it bring to business?
• A security operations center (SOC) in every office? We demystify a key requirement of the KRI and NIS2
• AI-NDR: Comprehensive Network Security with AI
• EDR vs XDR - Comparison of endpoint protection solutions
• EDR vs XDR: what is Extended Detection and Response and what is its advantage?

---

Explore Our Services

Need cybersecurity support? Check out:

• Security Audits - comprehensive security assessment
• Penetration Testing - identify vulnerabilities in your infrastructure
• SOC as a Service - 24/7 security monitoring

---

Related topics

See also:

• NIS2 for hospitals — compliance
• EDR vs XDR vs NDR — comparison