Cybersecurity Spotlight – Internet Protocol
What it is:
Internet Protocol (IP) is the communication standard used to uniquely identify systems on a computer network or across the internet. Networked systems are each assigned an IP address, which is used to uniquely identify and locate that system for the purpose of data transmission. Data is transmitted between two IP addresses similar to the way physical mail is delivered to your home using your U.S. Postal Address. When data is sent across a network, it includes a source IP address (the sender address) and a destination IP address (the recipient address), indicating the beginning and ending location for the transmitted data. There are currently two IP versions in use today: version 4 (IPv4) and version 6 (IPv6). IPv4 is limited to approximately 4.3 billion unique IP addresses, while IPv6 can support up to approximately 340 undecillion (or 340 trillion-trillion-trillion) unique IP addresses. The IPv6 design was introduced in December 1998 and was ratified in July 2017 to be the principle communication protocol used across the internet. Each IP version is displayed in a different format.
- IPv4 - a 32-bit address represented via four numeric sections ranging from 0 to 255 and separated using periods (e.g., 192.168.255.255)
- IPv6 - a 128-bit address represented via eight hexadecimal sections separated using colons (e.g., 2001:0db8:0000:0042:0000:8a2e:0370:7334)
Why does it matter:
Election offices are most likely to encounter IP addresses in cybersecurity reporting from the EI-ISAC, DHS, and other trusted partners. IP addresses are often the main component included in Indicators of Compromise (IOCs), which are used for network defense, identification, response to cyber incidents, and to identify who or what is connected to your network or device. Cybersecurity reporting often associates IP addresses with a particular geolocation or source country. However, this information may not indicate the true source of an attack, as Cyber Threat Actors often leverage proxies on infrastructure hosted abroad.
Additionally, as the number of internet connected devices continues to increase they will exceed the maximum number of available unique IPv4 addresses, limiting new and existing network devices from transmitting data successfully across the internet. Each server, computer, smartphone, and other internet-connected device requires a unique IP address to successfully connect and communicate across the internet. In response to eventual IPv4 Address Exhaustion, the Internet Engineering Task Force (IETF) designed IPv6, to increase the available unique IP address space for new devices while also making enhancements to the IP. One of these enhancements includes a more thorough implementation of IP Security (IPsec). IPsec is used to authenticate and encrypt data during transmission across a network. IPsec is also often used in virtual private network (VPN) configurations. Some of these changes may result in the need for reconfiguration. However, most internet service providers (ISPs), software developers, and hardware manufacturers have implemented the changes using technologies that are transparent to the average user and require no action.
What you can do:
IP addresses play a role in several key cybersecurity mitigations. Election offices are strongly encouraged to implement network logging (e.g., which IP addresses are connecting or attempting to connect to the network), as logs are often the primary mechanism used in identifying potential suspicious or malicious network activity or to aid incident response. IP addresses can also be leveraged to limit (whitelist) which devices can access specific election networks. Election offices should also become accustomed to recognizing IPv6 addresses, as they will increasingly appear in IOCs, network activity logs, and other cybersecurity reports, such as those disseminated via the EI-ISAC.
From a defensive standpoint, unused network functions are often a stepping stone for Cyber Threat Actors seeking to exploit victim networks. If election offices are currently using IPv4 and do not require IPv6 address space, it is recommended that IPv6 functionality be turned off. However, election offices are strongly advised not to disable IPv4 functionality when using IPv6, as IPv4 is still widely used across the internet and is currently capable of working in tandem with IPv6. To quickly determine which IP version your office is currently using, please visit https://www.mymainip.com/ .
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact firstname.lastname@example.org.