If the physical layer we talked about earlier in this series about OSI layers is the ‘what’ that allows data to travel, the data link layer is the ‘how.’ In the previous piece of this seven-part series on the OSI model, we described the physical layer and what cybersecurity threats could impact it. Remember, the key takeaway on how to protect the physical layer is this: business impact, contingency planning and continuity. NIST Special Publication 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems, is one of your best friends here. Now, let’s take a look at the data link layer.

What Is the Data Link Layer in OSI Layers?

In this part of the OSI seven-layer framework, zeroes and ones can travel between physically connected points. To get technical for a moment: nodes. And for clarification here, a wireless connection — such as a computer to a router over Wi-Fi — counts as a physical connection for the purposes of the OSI layers model.

This part of the OSI data link layer governs how much data should be allowed to travel and how long it should take to travel over a certain distance. In addition, very importantly, it keeps an eye out for errors in data transmission. The data link layer is also made up of two sublayers: the Media Access Control (MAC) sublayer — the unique identifier of a device — and the Logical Link Control (LLC) sublayer — the interface between the device and the network layer, which comes next in the OSI model. Many of the specifications for this part of the OSI layers can be found in the Institute of Electrical and Electronics Engineers IEEE 802 Standard for Local and Metropolitan Area Networks. (If you ever wondered why the number 802.11 is in front of many Wi-Fi devices, now you know: it represents the device is compliant with IEEE 802, subpart 11.)

Cybersecurity Threats to the Data Link in OSI Layers

The data link layer is where malicious actors can begin to take advantage of the frame, a piece of information that is part of the transmission on this part of the OSI layers. Each frame has a header, body and trailer. If attackers can view or manipulate these frames, then they can compromise your data. This layer can also suffer from overload, degrading performance. The types of attacks you need to be concerned about here are MAC address spoofing, MAC address flooding, virtual local area network (LAN) circumvention and address resolution protocol poisoning.

Reducing Threats to the Seven Layers of Networking

To reduce vulnerability at this section of the OSI layers, have a ‘batten down the hatch’ type mentality, where you should expect a storm. And the best way to prepare for that storm is by limiting control and access wherever possible. There are a few ways to do that.

One of the best ways is encryption. Some protocols may be inherently insecure, so you fill that gap through encryption. If you are unsure of what encryption method is right for you, you cannot go wrong by spending some time reviewing NIST Special Publication 800-175B Revision 1.

Two other simple and effective techniques for securing the data link section of the OSI layers are disabling ports, therefore denying access, and enabling MAC address filtering. If you’re not on the guest list, sorry, you can’t join the party (or network). You also want to prevent virtual LAN (VLAN) hopping, a way an attacker sneaks their way into the party. This is a more sophisticated way to attack the data link layer, but it still can happen. Misconfigurations and poor VLAN implementation are normally the cause of this vulnerability.

Keeping these techniques in mind will help lock down this layer. In the next piece, we will talk about how to secure the next of the OSI layers, the network layer.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read