The Open Systems Interconnection (OSI to short) Reference Model, is a common protocol-independent model (means: this is not a Standard) that aims to conceptualise the several (and abstract) communications of a computer network. Easy right? The key word here is “abstract”.

With this article we intended to dive into the 7 layers that comprehend the OSI Model with a simple point of view: the cybersecurity concerns. Slice by slice. Ready enough? Let's jump into it.

Physical Layer (Layer 1)

Security concerns in this layer involve the protection of physical access to networking equipment, cables (Bits into voltage for transmission), and data centres. Preventing unauthorised physical access to these resources is essential to maintain network security.

This is like the wire that connects the toy telephone's talking and listening parts. It makes sure the messages can travel between them. Similarly, in a computer network, the Physical Layer takes care of the cables, like making sure they're connected properly.

Some potential attacks at this layer:

Physical Tampering: Unauthorised access to networking equipment, cables, or data centres in order to physically disrupt or steal information.

Eavesdropping: Illegally intercepting and listening to network communications by tapping into physical connections.

Real-Life Attack: In 2010, the Stuxnet malware targeted Iran's nuclear facilities. It was introduced through infected USB drives, exploiting physical access to the network and causing damage to the centrifuges used in the uranium enrichment process.

Data Link Layer (Layer 2)

This layer is responsible for organising data into frames for transmission. At the security level, measures such as MAC (Media Access Control) address filtering, VLAN segregation, and 802.1X authentication can be implemented to prevent unauthorised access to the network.

Think of this as the part of the toy telephone that gives the message a "name tag" so it knows who it's meant for. It also checks if the message got to the right place, just like checking if your friend got your message on the toy telephone.

Some potential attacks at this layer:

MAC Spoofing: Forging or impersonating a legitimate MAC address to gain unauthorised access to a network.

ARP Poisoning: Manipulating the Address Resolution Protocol to associate incorrect MAC addresses with IP addresses, redirecting traffic to an attacker's machine.

Real-Life Attack: The "Man-in-the-Middle" attack against public Wi-Fi networks is a common example. Attackers set up rogue Wi-Fi hotspots with similar names to legitimate networks, intercepting communications and potentially stealing sensitive information.

Network Layer (Layer 3)

The focus here is on IP addressing (Network Layer's packets turned into segments ), routing, and logical addressing. Network security at this layer includes implementing firewalls, intrusion detection and prevention systems (IDPS), and virtual private networks (VPNs) to secure data in transit.

Imagine you're sending a letter and you need to know the best way for it to get to your friend's house. The Network Layer is like the map that helps the message find its way through different streets to reach the right place in the fastest way possible.

Some potential attacks at this layer:

IP Spoofing: Forging the source IP address of a packet to impersonate another device, potentially bypassing network filters.

Denial of Service (DoS) Attacks: Flooding a network with excessive traffic to overwhelm its capacity and disrupt normal operations.

Distributed Denial of Service (DDoS) Attacks: Coordinating multiple compromised devices to launch a large-scale DoS attack.

Real-Life Attack: The "Ping of Death" attack in the late 1990s exploited vulnerabilities in the IP protocol by sending oversized ICMP packets. This caused system crashes and network disruptions due to buffer overflow vulnerabilities.

Transport Layer (Layer 4)

This layer ensures reliable data transfer between devices. Transport layer security includes the use of protocols like SSL/TLS for securing data during transmission and establishing encrypted communication channels.

This is like a delivery truck that makes sure your message is safe and complete. If the message is too big, it makes sure to break it into smaller parts so they all fit and arrive in the right order.

Some potential attacks at this layer:

TCP SYN Flood: Exploiting the TCP handshake process by sending a flood of SYN requests to consume server resources and prevent legitimate connections.

UDP Flood: Sending a large volume of UDP packets to overwhelm a network or server.

Session Hijacking: Taking control of an established communication session to gain unauthorised access to sensitive data.

Real-Life Attack: The "SynFlood" attack targeted the TCP handshake process. In 2016, the Mirai botnet used this attack to overwhelm Internet of Things (IoT) devices and launch large-scale DDoS attacks against major websites and services.

Session Layer (Layer 5)

This layer manages the establishment, maintenance, and termination of communication sessions. It plays a role in security by maintaining secure sessions through features like session keys, which can be used to encrypt data between communication endpoints.

Think of this as the way you and your friend agree on how to have a conversation. You decide who will talk first and when to take turns. The Session Layer helps the computers do the same thing—agree on how to talk to each other.

Some potential attacks at this layer:

Session Fixation: Forcing a user to use a predetermined session ID, allowing an attacker to take control of the user's session.

Man-in-the-Middle (MitM) Attack: Intercepting and possibly altering communication between two parties without their knowledge.

Real-Life Attack: The "Session Fixation" vulnerability in web applications was exploited in the MySpace "Samy" worm in 2005. The attacker set the victim's session ID to a known value, allowing the attacker to control the user's account.

Presentation Layer (Layer 6)

The presentation layer deals with data formatting and encryption. Security measures at this layer include data transformation, compression, and encryption/decryption to ensure data confidentiality and integrity.

Imagine you're speaking to a friend who only understands a special language. You might need to change your words so your friend understands. The Presentation Layer changes the information so that the computers on each side can understand it correctly.

Some potential attacks at this layer:

Code Injection: Inserting malicious code (SQL, XSS, etc.) into data streams to exploit vulnerabilities in applications that process the data.

Data Conversion Attacks: Exploiting vulnerabilities in data conversion processes, leading to data corruption or unauthorised access.

Real-Life Attack: The "Heartbleed" vulnerability in the OpenSSL library (2014) allowed attackers to exploit a flaw in the TLS "heartbeat" extension. This enabled them to steal sensitive data from servers' memory, including private keys and user credentials.

Application Layer (Layer 7)

This is the layer that directly interacts with users and applications. Security measures at the application layer involve implementing authentication, authorization, and access control mechanisms to prevent unauthorised access to applications and data.

This is like the fun game you both want to play on your toy telephone. It's what you're actually doing, like telling a story or sharing pictures. The Application Layer is where different programs and apps work to show you the websites, videos, or messages you want.

Some potential attacks at this layer:

SQL Injection: Inserting malicious SQL queries into user input fields to manipulate or extract data from a database.

Cross-Site Scripting (XSS): Injecting malicious scripts into web pages that are then executed by other users' browsers, potentially compromising their data.

Phishing: Sending fraudulent emails or messages to trick users into revealing sensitive information or performing malicious actions.

Real-Life Attack: In 2013, the Target data breach occurred due to a successful phishing attack. Attackers sent a phishing email to an HVAC contractor, gaining access to Target's network and compromising credit card data of millions of customers.

Hopefully you could get this useful and understandable. The idea is for you to imagine how this layers operate among each other sending and retrieving data in the background placing the final result at Layer 7.

Source and further reading

Aronoff R., Ghernick M., Hsing K., Mills K., Stokesberry D., Management of Networks Based on Open Systems Interconnection (OSI) Standards: Functional Requirements and Analysis, National Computer Systems Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899, November 1989. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication500-175.pdf

Stapel, G. (2023, March 16). What is OSI Model | 7 Layers Explained | Imperva. Learning Center. https://www.imperva.com/learn/application-security/osi-model/

Stuxnet: We are still learning the lessons 12 years on. (2022, October 27). Thales Group. https://www.thalesgroup.com/en/countries-europe/united-kingdom/news/stuxnet-we-are-still-learning-lessons-12-years

What is a ping of death and ping of death attack? | Fortinet. (n.d.). Fortinet. https://www.fortinet.com/resources/cyberglossary/ping-of-death

Author, G. (2021). Inside the infamous Mirai IoT Botnet: A Retrospective Analysis. The Cloudflare Blog. https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/

Invicti. (2023, April 28). Cross-Site Scripting (XSS) | Learn AppSec | Invicti. https://www.invicti.com/learn/cross-site-scripting-xss/

Lee, T. B. (2015, May 14). The Heartbleed Bug, explained. Vox. https://www.vox.com/2014/6/19/18076318/heartbleed

Howland, D. (2014, February 14). Phishing attack on HVAC company led to Target breach. Retail Dive. https://www.retaildive.com/news/phishing-attack-on-hvac-company-led-to-target-breach/228025/