IB DP Computer Science DP
SL & HL  ·  2027 first-exam curriculum
A2.4.2 Describe common network vulnerabilities. (HL only) A2.4.4 Describe the process of encryption and digital certificates.

A2.4.3 Describe common network countermeasures. (HL only)

A2.4.3 Describe common network countermeasures. (HL only) 
• Content security policies, complex password policies, DDoS mitigation tools, email filtering solutions, encrypted protocols, input validation (filtering, whitelisting), intrusion detection systems (IDS), intrusion prevention systems (IPS), multifactor authentication (MFA), secure socket layer (SSL) certificate, transport layer security (TLS) certificate, update software, VPNs 
• The importance of regular security testing and employee training 
• Wireless security measures may include media access controllers (MAC), whitelists and blacklists.

Big Idea
Networks are constantly exposed to threats exploiting software flaws, protocol weaknesses and human error. Countermeasures are the defensive controls—technical, procedural and architectural—deployed to prevent, detect and mitigate attacks. A layered security posture combines proactive measures (e.g. hardening, filtering) with reactive tools (e.g. intrusion prevention) and organizational practices (testing, training) to reduce the likelihood and impact of compromise .

1. Policy-Driven Controls

  • Content Security Policies (CSPs)
    At the application or web-server level, CSPs define which external resources (scripts, styles, frames) browsers are permitted to load. By whitelisting trusted domains and blocking inline code, CSPs significantly reduce the risk of cross-site scripting and data exfiltration.
  • Complex Password Policies
    Enforcing minimum length, character-class diversity, account lockout thresholds and password expiration increases the entropy of credentials, thwarting brute-force and credential-stuffing attacks.

2. Traffic-Filtering and Protocol Hardening

  • DDoS Mitigation Tools
    Solutions such as rate-limiting, geo-blocking and scrubbing services detect volumetric or protocol-based floods, diverting or discarding malicious traffic before it overwhelms network resources.
  • Email Filtering Solutions
    Gateways inspect incoming mail for known malware signatures, suspicious attachments, phishing URLs and anomalous sending patterns, quarantining or rejecting dangerous messages.
  • Encrypted Protocols (SSL/TLS Certificates)
    Deploying HTTPS, SMTPS, SSH and other encrypted channels prevents eavesdropping and tampering. Valid SSL/TLS certificates—issued by trusted Certificate Authorities—ensure mutual authentication of endpoints and integrity of transmitted data.
  • Virtual Private Networks (VPNs)
    VPNs create encrypted tunnels over public networks, authenticating clients via certificates or pre-shared keys and protecting data in transit from interception or injection.

3. Input Validation and Application-Level Defenses

  • Input Validation (Filtering, Whitelisting)
    Robust server-side validation rejects or sanitizes all user-supplied data. Whitelisting allowable characters or patterns (rather than blacklisting known bad inputs) is more secure against SQL injection, XSS and buffer-overflow exploits.
  • Intrusion Detection Systems (IDS) & Intrusion Prevention Systems (IPS)
    • IDS passively monitor network traffic, generating alerts when signatures or anomalies match known attack patterns.
    • IPS actively block detected threats in real time, dropping malicious packets or reconfiguring firewalls to prevent exploitation.

4. Access Controls and Authentication

  • Multi-Factor Authentication (MFA)
    By requiring at least two independent factors—something you know (password), something you have (token), or something you are (biometrics)—MFA drastically reduces the effectiveness of stolen credentials.
  • Update Software
    Regularly applying patches to operating systems, firmware and applications eliminates vulnerabilities exploited by worms, ransomware and zero-day toolkits. Automated update management ensures timely deployment across the network.

5. Organizational Measures

  • Regular Security Testing
    • Vulnerability Scanning uncovers misconfigurations and missing patches.
    • Penetration Testing simulates adversary techniques to validate the effectiveness of controls.
  • Employee Training
    Security-awareness programs teach staff to recognize phishing, social engineering and unsafe practices, transforming users from potential liabilities into a human-firewall layer.

6. Wireless-Specific Defenses

  • Media Access Control (MAC) Filtering
    Access points maintain a whitelist of approved NIC MAC addresses, dropping frames from unauthorized devices.
  • Whitelists and Blacklists
    • Whitelisting permits only known SSIDs or devices to associate.
    • Blacklisting blocks clients exhibiting rogue or suspicious behavior, such as repeated failed authentication attempts.

By integrating these countermeasures—ranging from technical safeguards like CSPs, IDS/IPS and VPNs to procedural practices like testing and training—network architects establish a defense-in-depth posture that dramatically enhances resilience against a wide spectrum of threats .

Last Edited: May 23 2025 (one year ago)
Categories:
Theme A: Concepts of computer science Networks A2.4 Network security Higher Level